BugTraq
[ MDVSA-2014:119 ] mediawiki Jun 10 2014 04:47PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:119
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : mediawiki
Date : June 10, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.7, due to usernames on
Special:PasswordReset being parsed as wikitext. The username on
Special:PasswordReset can be supplied by anyone and will be parsed
with wgRawHtml enabled. Since Special:PasswordReset is whitelisted
by default on private wikis, this could potentially lead to an XSS
crossing a privilege boundary (CVE-2014-3966).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966
http://advisories.mageia.org/MGASA-2014-0253.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
ff6c87c0ca4184be601a11c11487b5a6 mbs1/x86_64/mediawiki-1.22.7-1.mbs1.noarch.rpm
64e807f5fa514e1149b4bdf51433efb6 mbs1/x86_64/mediawiki-mysql-1.22.7-1.mbs1.noarch.rpm
891e200fedb9c4eba765c824b2320346 mbs1/x86_64/mediawiki-pgsql-1.22.7-1.mbs1.noarch.rpm
d80771e17bd538455da34534b3da2e28 mbs1/x86_64/mediawiki-sqlite-1.22.7-1.mbs1.noarch.rpm
92c5c9e169e42307b700f97de6f23309 mbs1/SRPMS/mediawiki-1.22.7-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTlwx/mqjQ0CJFipgRAoWfAKDzOErE37mmvJoT3SyXJXuHBBGpOwCg8BRx
cWYvlL1QW2ri4ugTZt2imCU=
=fW5t
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus