Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 324029 (CVE-2010-1647) - <www-apps/mediawiki-1.15.5: Cross-site scripting (CVE-2010-{1647,1648})
Summary: <www-apps/mediawiki-1.15.5: Cross-site scripting (CVE-2010-{1647,1648})
Status: RESOLVED FIXED
Alias: CVE-2010-1647
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.wikimedia.org/show_b...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-14 22:17 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-01-07 00:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:17:22 UTC
CVE-2010-1647 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1647):
  Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before
  1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject
  arbitrary web script or HTML via crafted Cascading Style Sheets (CSS)
  strings that are processed as script by Internet Explorer.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 22:18:36 UTC
CVE-2010-1648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1648):
  Cross-site request forgery (CSRF) vulnerability in the login
  interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3
  allows remote attackers to hijack the authentication of users for
  requests that (1) create accounts or (2) reset passwords, related to
  the Special:Userlogin form.

Comment 2 Chris Richards 2010-07-21 02:06:18 UTC
What do we need to do to get MediaWiki 1.15.4 into the tree?  That will address this bug and bug 316701.  1.15.4 is out since late May.
Comment 3 Jesse Adelman 2010-09-11 02:59:20 UTC
1.15.5 out since 7/28/2010.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-09 05:23:19 UTC
Buuuuuuuuuuump.
If no one cares about this packet, maybe we should remove it from the tree?
Comment 5 Tim Harder gentoo-dev 2010-10-09 20:57:51 UTC
(In reply to comment #4)
> Buuuuuuuuuuump.
> If no one cares about this packet, maybe we should remove it from the tree?

I've added mediawiki-1.15.5 to the tree.
Comment 6 Tim Harder gentoo-dev 2010-10-13 17:59:55 UTC
Arches please test and mark stable =www-apps/mediawiki-1.15.5.
Target keywords: amd64, ppc, sparc, x86
Comment 7 Markus Meier gentoo-dev 2010-10-13 20:15:11 UTC
amd64/x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2010-10-15 12:38:44 UTC
ppc done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-10-24 17:50:25 UTC
sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-07 00:49:37 UTC
Thanks, folks. Closing noglsa for XSS.