Upstream changelog mentions a whole bunch of vulnerabilities fixed in latest releases: * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. == Security fixes in extensions == * (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters. * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches. * (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts. * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
All four versions added to the tree. Feel free to start the stabilization process for the currently stable series.
Thanks, Tim! Arches, please stabilize: =www-apps/mediawiki-1.19.23 =www-apps/mediawiki-1.22.15 =www-apps/mediawiki-1.23.8
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-9507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507): MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. CVE-2014-9277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277): The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. CVE-2014-9276 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276): Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
This is already on an existing GLSA draft.
CVE-2014-9476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476): MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." CVE-2014-9475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475): Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.
This issue was resolved and addressed in GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).