[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 11:51:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: CVE Request -- MediaWiki 1.19.2 and 1.18.5 multiple
security flaws
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/31/2012 08:34 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> multiple security flaws were corrected in recent (1.19.2, and
> 1.18.5) versions of MediaWiki, a wiki engine:
Top posting and in line:
CVE-2012-4377 Stored XSS via a File::link to a non-existing image
CVE-2012-4378 Multiple DOM-based XSS flaws due improper filtering of
uselang parameter
CVE-2012-4379 CSRF tokens, available via API, not protected when
X-Frame-Options headers used
CVE-2012-4380 Did not prevent account creation for IP addresses
blocked with GlobalBlocking
CVE-2012-4381 Password saved always to the local MediaWiki database
CVE-2012-4382 Metadata about blocks
> 1) Stored XSS via a File::link to a non-existing image Upstream
> bug: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
>
> Upstream patch against the 1.19 version: [2]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c11
>
> Upstream patch against the 1.18 version: [3]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39700#c12
>
> References: [4]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [5]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [6]
> https://bugzilla.redhat.com/show_bug.cgi?id=853409
Please use CVE-2012-4377 for this issue.
> 2) Multiple DOM-based XSS flaws due improper filtering of uselang
> parameter in combination with JS gadgets Upstream bug: [7]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
>
> Relevant upstream patch: [8]
> https://gerrit.wikimedia.org/r/#/c/13336/
>
> References: [9]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [10]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [11]
> https://bugzilla.redhat.com/show_bug.cgi?id=853417
Please use CVE-2012-4378 for this issue.
> 3) CSRF tokens, available via API, not protected when
> X-Frame-Options headers used Upstream bug: [12]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
>
> Relevant upstream patch: [13]
> https://gerrit.wikimedia.org/r/#/c/20472/
>
> References: [14]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [15]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [16]
> https://bugzilla.redhat.com/show_bug.cgi?id=853426
Please use CVE-2012-4379 for this issue.
> 4) Did not prevent account creation for IP addresses blocked with
> GlobalBlocking Upstream bug: [17]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824
>
> Upstream patch against the 1.18 version: [18]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39824#c0
>
> References: [19]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [20]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [21]
> https://bugzilla.redhat.com/show_bug.cgi?id=853440
Please use CVE-2012-4380 for this issue.
> 5) Password saved always to the local MediaWiki database and
> possibility to use old passwords for non-existing accounts in the
> external auth system Upstream bug: [22]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
>
> Upstream patch: [23]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39184#c1
>
> References: [24]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [25]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [26]
> https://bugzilla.redhat.com/show_bug.cgi?id=853442
Please use CVE-2012-4381 for this issue.
> 6) Metadata about blocks, hidden by a user with suppression
> rights, was visible to administrators Upstream bug: [27]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
>
> Patch for 1.18 branch: [28]
> https://bugzilla.wikimedia.org/show_bug.cgi?id=39823#c1
>
> References: [29]
> http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 [30]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330 [31] No Red
> Hat bugzilla entry, since this did not affect MediaWiki versions,
> as shipped across various Red Hat products.
Please use CVE-2012-4382 for this issue.
> Could you allocate CVE ids for these?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQQPm3AAoJEBYNRVNeJnmTQ/kP/RcvMqfAx+L+PD78RPypQYnd
zZdoe5InbG+taAScuCn8hK1E5CSUJwD2tW6hCHIL20w7iIeoJGYQX9VjdMf27nK5
dXhYODptEX/StCXkzXo79/KThEn7gneaolO0wNdhC7Nl+Jp2+0bFtVxbqOCcBVPn
z3GKzQ4dvxJbFSMH7Id+agXVuPEaQHuz2+0cg20xfUow7YfWAcmdlm+ARuLN1abh
MGlSOoY7QGRxTX/PqXeduaPWAu+Fsz+lPPC13kCXtNAhRysQeFdIcAodnRZ7SRuR
mnj2YfzS+XjzjIF596G6a9n/YyAtWebkJedg6k9q3BuUbSGe/9nHxn3F0EDID+wT
SoeCvRCDs6WfvJ5OP0ZYeE+z2boVpzA2L12JfR1iW22zYy/Y779yeS3dsjAtB7NE
EZ5RXch/WEuHSeIa0CFFFEPL6Y76TpM5oZXp/R+MNiIzwwCcfUMI47P9sUsklsaM
7lMjguJoT5xVGiTc8SnyY5k2MFt3iDU5+zpaG8k1qYq7Vj1pq3byeLhDsmI3I3+w
ZCcuCH8/Mh7a9hGviLYB5AVZoCkB9qSYoSmHbfudq05rGsru+tk/NOa1oUC9LNUn
AkYTlfssO8rBSeZ2Lg7MlHAmzmMz8QTf3OGA/E8RPkTv1qXqJvcAf+SyMe9a16Ob
XtXUaz1oZxoBqRc1W/x+
=CMss
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
