Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308573 (CVE-2010-1189) - www-apps/mediawiki-1.15.2 version bump (fixes two security issues) (CVE-2010-{1189,1190})
Summary: www-apps/mediawiki-1.15.2 version bump (fixes two security issues) (CVE-2010-...
Status: RESOLVED FIXED
Alias: CVE-2010-1189
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://lists.wikimedia.org/pipermail/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-09 02:39 UTC by Patrick
Modified: 2010-05-22 11:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick 2010-03-09 02:39:25 UTC
Summary says it all. Please bump ASAP.

Reproducible: Always

Steps to Reproduce:
Comment 1 Ian Kumlien 2010-03-22 21:07:39 UTC
+1 and i think that the severity should be bumped as well
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-22 23:04:17 UTC
Severity updated.
web-apps: please provide an updated ebuild.
Comment 3 Ian Kumlien 2010-03-22 23:39:57 UTC
creating a copy of the old ebuild should be sufficient, i upgraded my machine that way =)
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-31 19:46:17 UTC
CVE-2010-1189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1189):
  MediaWiki before 1.15.2 does not prevent wiki editors from linking to
  images from other web sites in wiki pages, which allows editors to
  obtain IP addresses and other information of wiki users by adding a
  link to an image on an attacker-controlled web site, aka "CSS
  validation issue."

CVE-2010-1190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1190):
  thumb.php in MediaWiki before 1.15.2, when used with
  access-restriction mechanisms such as img_auth.php, does not check
  user permissions before providing scaled images, which allows remote
  attackers to bypass intended access restrictions and read private
  images via unspecified manipulations.

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2010-04-02 17:24:24 UTC
1.15.2 inCVS.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2010-04-02 17:25:06 UTC
Adding arches, please mark as stable:

=www-apps/mediawiki-1.15.2 
Comment 7 Andreas Schürch gentoo-dev 2010-04-03 15:06:08 UTC
Tested on x86, looks good.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-04-04 18:49:12 UTC
sparc/x86 stable,

Thanks Andreas
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-15 15:10:46 UTC
ppc done
Comment 10 Markus Meier gentoo-dev 2010-04-15 20:25:31 UTC
amd64 stable, all arches done.
Comment 11 Honza 2010-05-06 07:36:39 UTC
Is it a glsa planed for this?
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-06 13:19:23 UTC
web app → noglsa.