Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460352 (CVE-2013-1816) - <www-apps/mediawiki-{1.19.4,1.20.3}: fix three security issues (CVE-2013-{1816,1817,1818})
Summary: <www-apps/mediawiki-{1.19.4,1.20.3}: fix three security issues (CVE-2013-{181...
Status: RESOLVED FIXED
Alias: CVE-2013-1816
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.wikimedia.org/pipermail/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-04 23:41 UTC by Manuel Rüger (RETIRED)
Modified: 2013-10-28 17:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2013-03-04 23:41:52 UTC
"These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST
when establishing an SSL connection, instead of '2'.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=44135>
<https://bugzilla.wikimedia.org/show_bug.cgi?id=42441>

* MediaWiki developer Krenair discovered that the full user object,
including password hash, could be returned when unblocking a user by
the API. Exploitation of this vulnerability requires the user to have
permissions to unblock users, by default this is limited to users in
the sysop group.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=43518>

* MediaWiki developer Platonides discovered that the maintenance
script mwdoc-filter.php did not check if it was being run via the CLI,
and could allow an attacker to read arbitrary files if PHP's
register_globals was enabled and the .htaccess file in the maintenance
directory, which by default denies access for all users, was disabled.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45355>
"
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 23:49:51 UTC
Thank you for the report, Manuel.
Comment 2 Tim Harder gentoo-dev 2013-03-05 09:44:56 UTC
Both releases added to CVS, feel free to start the stabilization process.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-05 11:39:36 UTC
Thanks, Tim.

Arches, please test and mark stable:
=www-apps/mediawiki-1.19.4
=www-apps/mediawiki-1.20.3
Target KEYWORDS "~alpha amd64 ppc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-06 16:07:24 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-06 16:11:47 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-09 11:29:59 UTC
ppc stable
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:36:21 UTC
GLSA request filed.
Comment 8 Tim Harder gentoo-dev 2013-04-17 00:27:14 UTC
Arches, please stabilize:
=www-apps/mediawiki-1.19.5
=www-apps/mediawiki-1.20.4
Comment 9 Tim Harder gentoo-dev 2013-04-17 00:32:29 UTC
(In reply to comment #8)
> Arches, please stabilize:
> =www-apps/mediawiki-1.19.5
> =www-apps/mediawiki-1.20.4

Sorry for the bugspam, posted to the wrong bug.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 17:08:33 UTC
This issue was resolved and addressed in
 GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml
by GLSA coordinator Sergey Popov (pinkbyte).