Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 398687 (CVE-2012-0046)

Summary: <www-apps/mediawiki-1.18.1 : Cached Deleted Revision Content Disclosure Weakness (CVE-2012-0046)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: trapni, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 392383    

Description Agostino Sarubbo gentoo-dev 2012-01-12 18:04:35 UTC
From secunia security advisory at $URL:

The weakness is caused due to an error within the "execute()" function (includes/api/ApiQueryRevisions.php), which discloses old revision content and can be exploited to disclose deleted cached content by diffing to a hidden revision.

Successful exploitation requires that the content is cached by a caching server.

The weakness is reported in versions prior to 1.18.1 and 1.17.2.

Update to version 1.18.1 or 1.17.2.
Comment 1 Tim Harder gentoo-dev 2012-01-15 03:47:37 UTC
1.18.1 added to CVS.
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-15 10:03:20 UTC
(In reply to comment #1)
> 1.18.1 added to CVS.

Thanks Tim.

Arches, please test and mark stable:
target KEYWORDS : "amd64 ppc sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-15 15:07:16 UTC
amd64 stable
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2012-01-20 11:44:47 UTC
x86 stable. Thanks
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-01-28 18:37:22 UTC
sparc keywords dropped
Comment 6 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:19:27 UTC
ppc done; closing as last arch
Comment 7 Agostino Sarubbo gentoo-dev 2012-02-01 17:20:36 UTC
@security, please vote
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-02-02 02:40:50 UTC
Thanks, folks. GLSA Vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-20 21:40:42 UTC
Vote: no, too. Closing [noglsa].