Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 363891 (CVE-2011-1578)

Summary: <www-apps/mediawiki-1.16.4: Multiple vulnerabilities (CVE-2011-{1578,1579,1580,1587})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexanderyt, trapni, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-04-16 21:38:39 UTC
MediaWiki 1.16.3 corrected several security issues:

http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000096.html

And from oss-security:

> 1) XSS with IE <= 6 due to improper handling of uploaded file names
Use CVE-2011-1578

> > 2) CSS validation error in wikitext parser
Use CVE-2011-1579

> > 3) transwiki import neglects to perform access control checks
Use CVE-2011-1580


Thanks for the quick bump. Unfortunately, the XSS fix was incomplete and 1.16.4 was released.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
Comment 1 Tim Harder gentoo-dev 2011-04-20 01:12:06 UTC
Bumped to 1.16.4 in CVS.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-04-20 01:17:19 UTC
(In reply to comment #1)
> Bumped to 1.16.4 in CVS.

Great, thank you.

Arches, please test and mark stable:
=www-apps/mediawiki-1.16.4
Target keywords : "amd64 ppc sparc x86"
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-04-20 01:24:44 UTC
CVE assigned for incomplete fix per http://www.openwall.com/lists/oss-security/2011/04/18/5.

----- Original Message -----
> Looks as though Mediawiki 1.16.3 did not fully fix the CVE-2011-1578
> issue (XSS), so 1.16.4 has been released:
> 
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
> 
> Could a CVE name get assigned to this?
> 

Please use CVE-2011-1587.
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-04-20 15:14:17 UTC
x86 stable. Thanks
Comment 5 Agostino Sarubbo gentoo-dev 2011-04-22 10:51:24 UTC
amd64 ok
Comment 6 RaĂșl Porcel (RETIRED) gentoo-dev 2011-04-23 17:49:42 UTC
sparc stable
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2011-04-24 02:59:35 UTC
Marked ppc stable.
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-04-25 09:45:22 UTC
amd64 done. Thanks Agostino
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 02:46:03 UTC
Thanks, everyone. GLSA Vote: no.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-04-26 23:18:47 UTC
Vote: NO. Closing noglsa.