363891 – (CVE-2011-1578) <www-apps/mediawiki-1.16.4: Multiple vulnerabilities (CVE-2011-{1578,1579,1580,1587})

Bug 363891 (CVE-2011-1578) - <www-apps/mediawiki-1.16.4: Multiple vulnerabilities (CVE-2011-{1578,1579,1580,1587})

Summary: <www-apps/mediawiki-1.16.4: Multiple vulnerabilities (CVE-2011-{1578,1579,158...

Status:	RESOLVED FIXED

Alias:	CVE-2011-1578

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://lists.wikimedia.org/pipermail/...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-04-16 21:38 UTC by Tim Sammut (RETIRED)
Modified:	2011-04-26 23:18 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2011-04-16 21:38:39 UTC

MediaWiki 1.16.3 corrected several security issues:

http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000096.html

And from oss-security:

> 1) XSS with IE <= 6 due to improper handling of uploaded file names
Use CVE-2011-1578

> > 2) CSS validation error in wikitext parser
Use CVE-2011-1579

> > 3) transwiki import neglects to perform access control checks
Use CVE-2011-1580


Thanks for the quick bump. Unfortunately, the XSS fix was incomplete and 1.16.4 was released.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html

Comment 1 Tim Harder gentoo-dev

2011-04-20 01:12:06 UTC

Bumped to 1.16.4 in CVS.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-04-20 01:17:19 UTC

(In reply to comment #1)
> Bumped to 1.16.4 in CVS.

Great, thank you.

Arches, please test and mark stable:
=www-apps/mediawiki-1.16.4
Target keywords : "amd64 ppc sparc x86"

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-04-20 01:24:44 UTC

CVE assigned for incomplete fix per http://www.openwall.com/lists/oss-security/2011/04/18/5.

----- Original Message -----
> Looks as though Mediawiki 1.16.3 did not fully fix the CVE-2011-1578
> issue (XSS), so 1.16.4 has been released:
> 
> http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html
> 
> Could a CVE name get assigned to this?
> 

Please use CVE-2011-1587.

Comment 4 Thomas Kahle (RETIRED) gentoo-dev

2011-04-20 15:14:17 UTC

x86 stable. Thanks

Comment 5 Agostino Sarubbo gentoo-dev

2011-04-22 10:51:24 UTC

amd64 ok

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2011-04-23 17:49:42 UTC

sparc stable

Comment 7 Joe Jezak (RETIRED) gentoo-dev

2011-04-24 02:59:35 UTC

Marked ppc stable.

Comment 8 Markos Chandras (RETIRED) gentoo-dev

2011-04-25 09:45:22 UTC

amd64 done. Thanks Agostino

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-04-26 02:46:03 UTC

Thanks, everyone. GLSA Vote: no.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2011-04-26 23:18:47 UTC

Vote: NO. Closing noglsa.