Bug 637582 (CVE-2017-8808, CVE-2017-8809, CVE-2017-8810, CVE-2017-8811, CVE-2017-8812, CVE-2017-8814, CVE-2017-8815)

Summary:	<www-apps/mediawiki-1.32.0: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	slyfox, web-apps
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [noglsa cve]
Package list:	www-apps/mediawiki-1.32.0	Runtime testing required:	No

Description GLSAMaker/CVETool Bot gentoo-dev

2017-11-15 14:13:44 UTC

CVE-2017-8815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8815):
  The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and
  1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.

CVE-2017-8814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8814):
  The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and
  1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule
  definition followed by "a lot of junk."

CVE-2017-8812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8812):
  MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2
  allows remote attackers to inject > (greater than) characters via the id
  attribute of a headline.

CVE-2017-8811 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8811):
  The implementation of raw message parameter expansion in MediaWiki before
  1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling
  attacks.

CVE-2017-8810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8810):
  MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2,
  when a private wiki is configured, provides different error messages for
  failed login attempts depending on whether the username exists, which allows
  remote attackers to enumerate account names and conduct brute-force attacks
  via a series of requests.

CVE-2017-8809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8809):
  api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before
  1.29.2 has a Reflected File Download vulnerability.

CVE-2017-8808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8808):
  MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has
  XSS when the $wgShowExceptionDetails setting is false and the browser sends
  non-standard URL escaping.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-15 14:18:05 UTC

@Maintainers please call for stabilization when ready.

Thank you

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-01-19 21:08:28 UTC

@maintainer(s), please bump the package LTS to at least 1.27.4.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-11-25 00:43:00 UTC

ping for bumpage.

Comment 4 Miroslav Šulc gentoo-dev

2019-02-13 12:36:54 UTC

i've bumped mediawiki to version 1.31.1 some time ago and and to 1.32.0 recently. so i guess one of these can go stable.

commit 7724838bfca3aec523c82232cfa717fc1eb38d3e
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Feb 5 14:14:00 2019 +0100

    www-apps/mediawiki-1.32.0: bump
    
    Closes: https://bugs.gentoo.org/675186
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

commit 294cc98f55c6c485070698177dd7f72f341cc058
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Tue Oct 23 18:35:38 2018 +0200

    www-apps/mediawiki: version bump per bug #611240
    
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2019-04-14 02:15:26 UTC

@arches, please stabilize.

Comment 6 Agostino Sarubbo gentoo-dev

2019-04-14 10:24:10 UTC

amd64 stable

Comment 7 ernsteiswuerfel archtester

2019-04-14 18:55:01 UTC

Looking good on ppc.

# cat mediawiki-637582.report 
USE tests started on So 14. Apr 19:45:51 CEST 2019

FEATURES=' test' USE='' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql -postgres -sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick -mysql postgres -sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql -postgres sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='-imagemagick mysql postgres sqlite -vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql -postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick -mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='-imagemagick mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql postgres -sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='-imagemagick mysql -postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql -postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='-imagemagick mysql postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0
USE='imagemagick mysql postgres sqlite vhosts' succeeded for =www-apps/mediawiki-1.32.0

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2019-04-20 02:23:13 UTC

(In reply to ernsteiswuerfel from comment #7)
> Looking good on ppc.
> 
> # cat mediawiki-637582.report 
> USE tests started on So 14. Apr 19:45:51 CEST 2019
> 
> FEATURES=' test' USE='' succeeded for =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql -postgres -sqlite -vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick -mysql postgres -sqlite -vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql -postgres sqlite -vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='-imagemagick mysql postgres sqlite -vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql -postgres -sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick -mysql postgres -sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='-imagemagick mysql postgres -sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql postgres -sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='-imagemagick mysql -postgres sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql -postgres sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='-imagemagick mysql postgres sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0
> USE='imagemagick mysql postgres sqlite vhosts' succeeded for
> =www-apps/mediawiki-1.32.0

thanks!

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-24 21:34:32 UTC

x86 stable

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2019-04-24 22:42:26 UTC

@maintainer, please drop vulnerable

Comment 11 Larry the Git Cow gentoo-dev

2019-04-25 06:51:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd1f071fcacf79be077e6f3845ac951aa0979651

commit fd1f071fcacf79be077e6f3845ac951aa0979651
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-04-25 06:51:10 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-04-25 06:51:10 +0000

    www-apps/mediawiki-1.{27.3,31.1}: removed vulnerable (bug #637582)
    
    Bug: https://bugs.gentoo.org/637582
    Package-Manager: Portage-2.3.64, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-apps/mediawiki/Manifest                |  2 -
 www-apps/mediawiki/mediawiki-1.27.3.ebuild | 79 ----------------------------
 www-apps/mediawiki/mediawiki-1.31.1.ebuild | 82 ------------------------------
 3 files changed, 163 deletions(-)