Summary: | <www-apps/mediawiki-{1.19.20,1.22.12,1.23.5}: Multiple vulnerabilities (CVE-2014-{5241,5242,5243}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Xu (Hello71) <alex_y_xu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dev-zero, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-July/000157.html | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 515138 | ||
Bug Blocks: |
Description
Alex Xu (Hello71)
2014-07-30 20:22:21 UTC
please ignore description. * (bug 68187) SECURITY: Prepend jsonp callback with comment. * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked. * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput. I've taken the liberty to bump the ebuilds and drop the vulnerable versions. Stabilization targets: * www-apps/mediawiki-1.19.18 amd64 ppc x86 (legacy stable) * www-apps/mediawiki-1.22.10 amd64 ppc x86 (stable, upgrade path from discontinued 1.21) (In reply to Alex Xu (Hello71) from comment #0) > +++ This bug was initially created as a clone of Bug #515138 +++ > Please don't use the cloning feature for security bugs. It has really created a mess with this series of bugs. CVE-2014-5243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243): MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. CVE-2014-5242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242): Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox class in conjunction with an action=raw value. CVE-2014-5241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241): The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set. This issue was resolved and addressed in GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |