Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 445065 (CVE-2012-5391)

Summary: <www-apps/mediawiki-1.19.3: Security Bypass Vulnerabilities (CVE-2012-5391)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/51424/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-28 11:41:05 UTC 
From https://secunia.com/advisories/51424/ :

Description
Multiple vulnerabilities have been reported in MediaWiki, which can be exploited by malicious users 
and malicious people to bypass certain security restrictions.

1) Some unspecified errors can be exploited to gain access to another user's account.

2) An unspecified error can be exploited to prevent access to e.g. the "Special:RecentChanges" 
page.

The vulnerabilities are reported in versions prior to 1.18.6, 1.19.3, and 1.20.1.


Solution
Versions 1.18.6, 1.19.3, and 1.20.1 are scheduled to be release on November 29th, 2012 between 
21:00-22:00 UTC.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-November/000121.html
Comment 1 Tim Harder gentoo-dev 2012-11-30 04:38:07 UTC 
Security bumps added to CVS. Feel free to stabilize 1.19.3.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-01 14:15:16 UTC 
(In reply to comment #1)
> Security bumps added to CVS. Feel free to stabilize 1.19.3.

Thanks, Tim.

Arches, please test and mark stable:
=www-apps/mediawiki-1.19.3
Target KEYWORDS: "amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-12-01 21:26:33 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-02 15:42:33 UTC 
ppc stable
Comment 5 Andreas Schürch gentoo-dev 2012-12-03 13:10:47 UTC 
x86 done, last arch.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-06 18:26:03 UTC 
Thanks, everyone.

GLSA vote: no.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-12-10 19:00:33 UTC 
Thanks, folks. GLSA Vote: no too, closing noglsa.