[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1848832289.24879971.1346423678094.JavaMail.root@redhat.com>
Date: Fri, 31 Aug 2012 10:34:38 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: oss-security@...ts.openwall.com,
Mitre CVE assign department <cve-assign@...re.org>
Subject: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple security flaws
Hello Kurt, Steve, vendors,
multiple security flaws were corrected in recent (1.19.2,
and 1.18.5) versions of MediaWiki, a wiki engine:
1) Stored XSS via a File::link to a non-existing image
Upstream bug:
[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
Upstream patch against the 1.19 version:
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11
Upstream patch against the 1.18 version:
[3] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12
References:
[4] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[6] https://bugzilla.redhat.com/show_bug.cgi?id=853409
2) Multiple DOM-based XSS flaws due improper filtering of uselang parameter
in combination with JS gadgets
Upstream bug:
[7] https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
Relevant upstream patch:
[8] https://gerrit.wikimedia.org/r/#/c/13336/
References:
[9] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[10] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[11] https://bugzilla.redhat.com/show_bug.cgi?id=853417
3) CSRF tokens, available via API, not protected when X-Frame-Options headers used
Upstream bug:
[12] https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
Relevant upstream patch:
[13] https://gerrit.wikimedia.org/r/#/c/20472/
References:
[14] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[15] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[16] https://bugzilla.redhat.com/show_bug.cgi?id=853426
4) Did not prevent account creation for IP addresses blocked with GlobalBlocking
Upstream bug:
[17] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824
Upstream patch against the 1.18 version:
[18] https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0
References:
[19] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[20] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[21] https://bugzilla.redhat.com/show_bug.cgi?id=853440
5) Password saved always to the local MediaWiki database and
possibility to use old passwords for non-existing accounts
in the external auth system
Upstream bug:
[22] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
Upstream patch:
[23] https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1
References:
[24] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[25] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[26] https://bugzilla.redhat.com/show_bug.cgi?id=853442
6) Metadata about blocks, hidden by a user with suppression rights,
was visible to administrators
Upstream bug:
[27] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
Patch for 1.18 branch:
[28] https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1
References:
[29] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767
[30] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330
[31] No Red Hat bugzilla entry, since this did not affect
MediaWiki versions, as shipped across various Red Hat products.
Could you allocate CVE ids for these?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
