Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 506018 (CVE-2014-2665)

Summary: <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: No CSRF token on Special:ChangePassword (CVE-2014-2665)
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/03/28/1
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Alex Xu (Hello71) 2014-03-28 02:10:52 UTC
.
Comment 1 Tim Harder gentoo-dev 2014-04-13 12:40:48 UTC
Arches, please stabilize:

=www-apps/mediawiki-1.19.15
=www-apps/mediawiki-1.21.8
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-13 14:01:13 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-13 14:01:44 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-13 14:02:05 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-13 14:10:26 UTC
cleanup done.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:24:22 UTC
CVE-2014-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665):
  includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14,
  1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly
  handle a correctly authenticated but unintended login attempt, which makes
  it easier for remote authenticated users to obtain sensitive information by
  arranging for a victim to login to the attacker's account, as demonstrated
  by tracking the victim's activity, related to a "login CSRF" issue.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 01:55:04 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA VOTE: No
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 04:31:17 UTC
GLSA already in progress, adding this to existing GLSA.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:53:48 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).