oss-security - Re: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8

server OS

Date: Wed, 04 Sep 2013 23:47:27 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Thijs Kinkhorst <thijs@...ian.org>, Chris Steipp <csteipp@...imedia.org>
Subject: Re: CVE request: MediaWiki Security Release: 1.21.2,
 1.20.7 and 1.19.8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/04/2013 04:18 AM, Thijs Kinkhorst wrote:
> Hi,
> 
> Mediawiki has announced the following security releases. The
> message contains a link to the patches for various release
> branches.
> 
> Can CVE names be assigned please?
> 
> 
> thanks, Thijs

Top posting because I'm lazy

CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332
CVE-2013-4302 MediaWiki CSRF token access 49090
CVE-2013-4303 MediaWiki XSS with IE 52746
CVE-2013-4304 MediaWiki CentralAuth auth bypass
CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS
CVE-2013-4306 MediaWiki CheckUser CSRF bypass
CVE-2013-4307 MediaWiki Wikibase XSS
CVE-2013-4308 MediaWiki LiquidThreads XSS


> ---------------------------- Original Message
> ---------------------------- Subject: [MediaWiki-announce]
> MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 From:
> "Chris Steipp" <csteipp@...imedia.org> Date:    Tue, September 3,
> 2013 22:50 To:      mediawiki-announce@...ts.wikimedia.org 
> "MediaWiki-l" <mediawiki-l@...ts.wikimedia.org> "Wikimedia
> developers" <wikitech-l@...ts.wikimedia.org> 
> --------------------------------------------------------------------------
>
>  I would like to announce the release of MediaWiki 1.21.2, 1.20.7
> and 1.19.8. These releases fix 3 security related bugs that could
> affect users of MediaWiki. Download links are given at the end of
> this email.
> 
> * Mozilla, and other developers, reported a full path disclosure
> in MediaWiki, when an invalid language is specified in
> ResourceLoader 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
> 
> * An internal review found several API modules allowed anti-CSRF
> tokens to be accessed via JSONP. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
> 
> * Andreas Peetz reported an issue with the MediaWiki API where an
> invalid property name could be used for XSS with older versions of
> Internet Explorer. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
> 
> 
> Additionally, the following extensions have been updated to fix
> security issues:
> 
> * CentralAuth: An internal review found an authentication
> regression that allowed an attacker to bypass authentication 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
> 
> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the
> included example.php script 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
> 
> * CheckUser: Alex Monk reported and fixed that CheckUser didn't
> require anti-CSRF tokens for checking users 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
> 
> * Wikibase: Liangent reported and fixed an XSS 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
> 
> * LiquidThreads: Alex Monk reported and fixed an XSS 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
> 
> 
> 
> Full release notes for 1.21.2: 
> <https://www.mediawiki.org/wiki/Release_notes/1.21>
> 
> Full release notes for 1.20.7: 
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
> 
> Full release notes for 1.19.8: 
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
> 
> For information about how to upgrade, see 
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
> 
> 
> **********************************************************************
>
> 
1.21.2
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
>
>  Patch to previous version (1.21.1): 
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
>
>  Public keys: https://www.mediawiki.org/keys/keys.html
> 
> **********************************************************************
>
> 
1.20.7
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
>
>  Patch to previous version (1.20.6): 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
>
>  Public keys: https://www.mediawiki.org/keys/keys.html
> 
> **********************************************************************
>
> 
1.19.8
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
>
>  Patch to previous version (1.19.7): 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
>
>  Public keys: https://www.mediawiki.org/keys/keys.html
> 
> **********************************************************************
>
> 
Extension:CentralAuth
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:CentralAuth
> 
> **********************************************************************
>
> 
Extension:SyntaxHighlight_GeSHi
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
> 
> **********************************************************************
>
> 
Extension:CheckUser
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:CheckUser
> 
> **********************************************************************
>
> 
Extension:Wikibase
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:Wikibase
> 
> **********************************************************************
>
> 
Extension:LiquidThreads
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:LiquidThreads 
> _______________________________________________ MediaWiki
> announcements mailing list To unsubscribe, go to: 
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSKBrpAAoJEBYNRVNeJnmTppAQAKNq+iTLxIl3CQZn5SUq+O1n
6JQ/VlVOMs6AGf3dmzknCEi+Fee21IayGgJDqeNXKZLM/bXlI38bLUr+TdizFUmD
Xh+OF5xAfrOMJ6PbTlctGz2ZWt/cxfZCn/CyMyvxzxmsm2m8VMtorROSNglfdaNT
H/MDtZn3E5wej5/xP9vQeiaTNom64Pd6SPAByG2N9F3ZeEn/ic5a814s4WcNWmyK
T75BEcEOqsVoZj1jmQxOn5GewdJshmSn2vBZH+4JUJlaelmScSlfuFkWHuqh4cdJ
1pGf6QgdGIIou1FgwmowSljTiCIcLwdu7a+ZnQDpAkBs4GgY3ya+Fc1+z5Lihk7U
pctDZOwEpTh36ct0XBiU4jSNn69t3GGEcKre5ZKjHG2YlvthSIQhJQChGLQasatr
tTizJZyQba56OqlRgH8SSg29E6ovwKS6MqCfK0EYw1FZRNPc5/x0AUaXqMc5p9T+
2lNBicolIBzaaQnxwYG0Te7NOutCIAQCJf1jidg7vzSI7GBLMpW46nCu067qpmCN
sLSLxHXHeNB72hIZR5xcSufW/D6HMDSbtT9fpyDzVx1SqFQUZl1IUN2KM1eM5gpT
Pd5W3AxfkuOH4IVmtZBTwoKaDEfoc50DxDuf19XCwthoddZGVHDGlM+Bxw+BSz7P
BNwnSTMyb9UyTIiP5U39
=cPdc
-----END PGP SIGNATURE-----