oss-sec mailing list archives

CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release

From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 28 Feb 2014 18:25:22 +1100

Good morning,

As noted in https://bugs.gentoo.org/show_bug.cgi?id=503012 a fewsecurity bugs are fixed in the 1.22.3, 1.21.6 and 1.19.12 MediaWiki release:


http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html

Can CVEs be assigned to the following (if they are all CVE worthy)?

https://bugzilla.redhat.com/show_bug.cgi?id=1071135
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.

An attacker could perform cross-site scripting attacks by uploadingcrafted SVG images.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have nottested EPEL 5.


References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb,n,z



https://bugzilla.redhat.com/show_bug.cgi?id=1071136
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 61346) SECURITY: Make token comparison use constant time. Itseems likeour token comparison would be vulnerable to timing attacks. This willtake

  constant time.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have nottested EPEL 5.


References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z



https://bugzilla.redhat.com/show_bug.cgi?id=1071139
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 61362) SECURITY: API: Don't find links in the middle of api.phplinks.


An attacker could perform cross-site scripting attacks.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have nottested EPEL 5.


References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=61362
https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb,n,z

Thanks,

--
Murray McAllister / Red Hat Security Response Team

Current thread:

CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release Murray McAllister (Feb 27)
- Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release cve-assign (Feb 28)
  - Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release Vincent Danen (Feb 28)
    - Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release Chris Steipp (Feb 28)
  - Re: Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release Simon McVittie (Feb 28)
    - Re: Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release Chris Steipp (Feb 28)
- Re: CVE requests: MediaWiki 1.22.3, 1.21.6 and 1.19.12 release cve-assign (Mar 01)