Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 557844 - <www-apps/mediawiki-{1.23.10,1.24.3,1.25.2}: Multiple vulnerabilities (CVE-2015-{6728,6729,6730,6731,6732,6733,6734,6735,6736,6737})
Summary: <www-apps/mediawiki-{1.23.10,1.24.3,1.25.2}: Multiple vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.wikimedia.org/pipermail...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: 545944
  Show dependency tree
 
Reported: 2015-08-15 14:04 UTC by Manuel Rüger
Modified: 2015-10-31 15:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger gentoo-dev 2015-08-15 14:04:18 UTC
== Security fixes ==

* Internal review discovered that Special:DeletedContributions did not
properly
protect the IP of autoblocked users. This fix makes the functionality of
Special:DeletedContributions consistent with Special:Contributions and
Special:BlockList.
<https://phabricator.wikimedia.org/T106893>

* Internal review discovered that watchlist anti-csrf tokens were not being
compared in constant time, which could allow various timing attacks. This
could
allow an attacker to modify a user's watchlist via csrf.
<https://phabricator.wikimedia.org/T94116>

* John Menerick reported that MediaWiki's thumb.php failed to sanitize
various
error messages, resulting in xss.
<https://phabricator.wikimedia.org/T97391>

Additionally, the following extensions have been updated to fix security
issues:

* Extension:SemanticForms - MediaWiki user Grunny discovered multiple
reflected
xss vectors in SemanticForms. Further internal review discovered and fixed
other reflected and stored xss vectors.
<https://phabricator.wikimedia.org/T103391>
<https://phabricator.wikimedia.org/T103765>
<https://phabricator.wikimedia.org/T103761>

* Extension:SyntaxHighlight_GeSHi - xss and potential DoS vectors. Internal
review discovered that the contib directory for GeSHi was re-included in
MediaWiki 1.25. Some scripts could be potentially be used for DoS, and
DAU Huy Ngoc discovered an xss vector. All contrib scripts have been
removed.
<https://phabricator.wikimedia.org/T108198>

* Extension:TimedMediaHandler - User:McZusatz reported that resetting
transcodes deleted the transcode without creating a new one, which could be
used for vandalism or potentially DoS.
<https://phabricator.wikimedia.org/T100211>

* Extension:Quiz - Internal review discovered that Quiz did not properly
escape
regex metacharacters in a user controlled regular expression, enabling a DoS
vector.
<https://phabricator.wikimedia.org/T97083>

* Extension:Widgets - MediaWiki developer Majr reported a potential HTML
injection (xss) vector.
<https://phabricator.wikimedia.org/T88964>
Comment 1 Manuel Rüger gentoo-dev 2015-08-15 14:06:58 UTC
Please note that 1.19 EOL'd since 2015-05-25.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-15 16:45:55 UTC
CVE Request - http://seclists.org/oss-sec/2015/q3/332
Comment 3 Tim Harder gentoo-dev 2015-08-25 05:04:51 UTC
Arches please stabilize.

You can probably stabilize all three versions since we'll probably drop 1.19 and 1.22 after this.
Comment 4 Agostino Sarubbo gentoo-dev 2015-08-25 07:11:15 UTC
(In reply to Tim Harder from comment #3)
> Arches please stabilize.
> 
> You can probably stabilize all three versions since we'll probably drop 1.19
> and 1.22 after this.

Tim, next time please clearly state the exactly version that needs stabilization. Thanks.
Comment 5 Agostino Sarubbo gentoo-dev 2015-08-25 07:16:26 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-08-25 07:16:52 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-08-26 07:28:56 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-19 04:17:38 UTC
GLSA Vote: Yes
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2015-10-07 07:58:11 UTC
(In reply to Yury German from comment #8)
> GLSA Vote: Yes

Yes, already approved for bug 545944
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:20:34 UTC
This issue was resolved and addressed in
 GLSA 201510-05 at https://security.gentoo.org/glsa/201510-05
by GLSA coordinator Kristian Fiskerstrand (K_F).