Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 468110 (CVE-2013-2031) - <www-apps/mediawiki-{1.19.6,1.20.5}: Security releases 1.20.5 and 1.19.6 (CVE-2013-{2031,2032})
Summary: <www-apps/mediawiki-{1.19.6,1.20.5}: Security releases 1.20.5 and 1.19.6 (CVE...
Status: RESOLVED FIXED
Alias: CVE-2013-2031
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-01 10:12 UTC by Agostino Sarubbo
Modified: 2013-11-19 04:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-01 10:12:38 UTC
From ${URL} :

Two flaws were corrected in the recently-released MediaWiki 1.20.5 and 1.19.6 releases:

* Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and 
Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as 
UTF-8. [1]

* Internal review discovered that extensions were not given the opportunity to disable a password 
reset, which could lead to circumvention of two-factor authentication. [2]

[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=47304
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=46590


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Tim Harder gentoo-dev 2013-05-01 16:45:48 UTC
Arches, please stabilize:
=www-apps/mediawiki-1.19.6
=www-apps/mediawiki-1.20.5
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-02 12:03:30 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-02 12:04:01 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-03 13:32:45 UTC
ppc stable
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-30 12:22:18 UTC
If this requires a GLSA, it could be combined with bug 471140.
Comment 6 Sergey Popov gentoo-dev 2013-08-23 09:48:07 UTC
GLSA vote: no
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:37 UTC
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-19 04:21:45 UTC
CVE-2013-2032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2032):
  MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions
  to prevent password changes without using both Special:PasswordReset and
  Special:ChangePassword, which allows remote attackers to bypass the intended
  restrictions of an extension that only implements one of these blocks.

CVE-2013-2031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2031):
  MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to
  conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA
  section containing valid UTF-7 encoded sequences in a SVG file, which is
  then incorrectly interpreted as UTF-8 by Chrome and Firefox.