Articles / Debian: Security update for...

Debian: Security update for MediaWiki

Several problems have been discovered in mediawiki, a website engine for collaborative work. Masato Kinugawa discovered a cross-site scripting (XSS) issue, which affects Internet Explorer clients only, and only version 6 and earlier. Web server configuration changes are required to fix this issue. Upgrading MediaWiki will only be sufficient for people who use Apache with AllowOverride enabled. Wikipedia user Suffusion of Yellow discovered a CSS validation error in the wikitext parser. This is an XSS issue for Internet Explorer clients, and a privacy loss issue for other clients since it allows the embedding of arbitrary remote images. MediaWiki developer Happy-Melon discovered that the transwiki import feature neglected to perform access control checks on form submission. The transwiki import feature is disabled by default. If it is enabled, it allows wiki pages to be copied from a remote wiki listed in $wgImportSources. The issue means that any user can trigger such an import to occur.

Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. Tim Starling discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis.

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2366-1                   security@debian.org
http://www.debian.org/security/                        Jonathan Wiltshire
December 18, 2011                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-1578 CVE-2011-1579 CVE-2011-1580 CVE-2011-1587 
                CVE-2011-4360 CVE-2011-4361 
Debian Bug     : 650434

Several problems have been discovered in mediawiki, a website engine for
collaborative work.

CVE-2011-1578 CVE-2011-1587

  Masato Kinugawa discovered a cross-site scripting (XSS) issue, which
  affects Internet Explorer clients only, and only version 6 and
  earlier. Web server configuration changes are required to fix this
  issue. Upgrading MediaWiki will only be sufficient for people who use
  Apache with AllowOverride enabled.

  For details of the required configuration changes, see the upstream
  announcements:
 http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000096.html
 http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-April/000097.html

CVE-2011-1579

  Wikipedia user Suffusion of Yellow discovered a CSS validation error
  in the wikitext parser. This is an XSS issue for Internet Explorer
  clients, and a privacy loss issue for other clients since it allows
  the embedding of arbitrary remote images.

CVE-2011-1580

  MediaWiki developer Happy-Melon discovered that the transwiki import
  feature neglected to perform access control checks on form submission.
  The transwiki import feature is disabled by default. If it is enabled,
  it allows wiki pages to be copied from a remote wiki listed in
  $wgImportSources. The issue means that any user can trigger such an
  import to occur.

CVE-2011-4360

  Alexandre Emsenhuber discovered an issue where page titles on private
  wikis could be exposed bypassing different page ids to index.php. In the
  case of the user not having correct permissions, they will now be redirected
  to Special:BadTitle.

CVE-2011-4361

  Tim Starling discovered that action=ajax requests were dispatched to the
  relevant function without any read permission checks being done. This could
  have led to data leakage on private wikis.

For the oldstable distribution (lenny), these problems have been fixed in
version 1:1.12.0-2lenny9.

For the stable distribution (squeeze), these problems have been fixed in
version 1:1.15.5-2squeeze2.

For the unstable distribution (sid), these problems have been fixed in
version 1:1.15.5-5.

We recommend that you upgrade your mediawiki packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk7vdLMACgkQXm3vHE4uylqtlQCcDQVg0t2VIxQu7YYivt/Qa0Jm
26YAoLK//wg/L42tHVdN1WGDhVBRlcM3
=YKql
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Holtz

The abstract strategy games Zertz and Dvonn.

Screenshot

Project Spotlight

The Meson Build System

A next-generation build system.