Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506018 (CVE-2014-2665) - <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: No CSRF token on Special:ChangePassword (CVE-2014-2665)
Summary: <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: No CSRF token on Special:ChangeP...
Status: RESOLVED FIXED
Alias: CVE-2014-2665
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-28 02:10 UTC by Alex Xu (Hello71)
Modified: 2015-02-07 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2014-03-28 02:10:52 UTC
.
Comment 1 Tim Harder gentoo-dev 2014-04-13 12:40:48 UTC
Arches, please stabilize:

=www-apps/mediawiki-1.19.15
=www-apps/mediawiki-1.21.8
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-13 14:01:13 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-04-13 14:01:44 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-04-13 14:02:05 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-13 14:10:26 UTC
cleanup done.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 21:24:22 UTC
CVE-2014-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665):
  includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14,
  1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly
  handle a correctly authenticated but unintended login attempt, which makes
  it easier for remote authenticated users to obtain sensitive information by
  arranging for a victim to login to the attacker's account, as demonstrated
  by tracking the victim's activity, related to a "login CSRF" issue.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-10 01:55:04 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA VOTE: No
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 04:31:17 UTC
GLSA already in progress, adding this to existing GLSA.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 17:53:48 UTC
This issue was resolved and addressed in
 GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).