Ubuntu
mediawiki package

CVE-2009-0737 Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php)

Bug #348858 reported by Andreas Wenning
256
Affects Status Importance Assigned to Milestone
mediawiki (Ubuntu)
Fix Released
High
Andreas Wenning
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mediawiki

== Upstream description ==
A number of cross-site scripting (XSS) security vulnerabilities were discovered in the web-based installer (config/index.php). These vulnerabilities all require a live installer -- once the installer has been used to install a wiki, it is deactivated.

== Links ==
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000084.html

== Affects ==
jaunty
intrepid
hardy
gutsy (not patchable due to packaging)
dapper (not patchable due to packaging)

Andreas Wenning (andreas-wenning)
Changed in mediawiki:
assignee: nobody → andreas-wenning
importance: Undecided → High
status: New → In Progress
Andreas Wenning (andreas-wenning)
Changed in mediawiki:
status: In Progress → Fix Committed
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff for hardy, both built and tested locally.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

And same for intrepid.

Changed in mediawiki:
status: New → Triaged
status: New → Triaged
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs Andreas. I'll release packages today.

Could you please tag your patches next time, according to https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines and https://wiki.ubuntu.com/SecurityUpdateProcedures .

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.13.3-1ubuntu2

---------------
mediawiki (1:1.13.3-1ubuntu2) jaunty; urgency=low

  * SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
    the web-based installer (config/index.php). (LP: #348858)
    - CVE-2009-0737
    - debian/patches/CVE-2009-0737.patch
    - patch based on upstream patches for 1.13.4 and 1.13.5
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

 -- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:25:16 +0100

Changed in mediawiki:
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Andreas,

Are you sure about this part in the hardy debdiff:

+Index: mediawiki-1.11.2/includes/GlobalFunctions.php
+===================================================================
+--- mediawiki-1.11.2.orig/includes/GlobalFunctions.php 2008-03-03 08:09:26.000000000 +0100
++++ mediawiki-1.11.2/includes/GlobalFunctions.php 2009-03-26 09:40:33.000000000 +0100
+@@ -2320,4 +2320,19 @@
+ return wfIsWindows()
+ ? 'NUL'
+ : '/dev/null';
+-}
+\ No newline at end of file
++}
++

I think the "No newline..." part is a mistake, and now, it's included in the function...

Changed in mediawiki:
status: Triaged → Fix Committed
assignee: nobody → mdeslaur
status: Triaged → Incomplete
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

duh...it's diff-generated. Nothing to see here, please move along...

Changed in mediawiki:
assignee: mdeslaur → nobody
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.12.0-2ubuntu0.3

---------------
mediawiki (1:1.12.0-2ubuntu0.3) intrepid-security; urgency=low

  * SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
    the web-based installer (config/index.php). (LP: #348858)
    - CVE-2009-0737
    - debian/patches/CVE-2009-0737.patch
    - patch taken directly from Debian
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

 -- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:33:41 +0100

Changed in mediawiki:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.11.2-2ubuntu0.3

---------------
mediawiki (1:1.11.2-2ubuntu0.3) hardy-security; urgency=low

  * SECURITY UPDATE: Multiple cross-site scripting (XSS) vulnerabilities in
    the web-based installer (config/index.php). (LP: #348858)
    - CVE-2009-0737
    - debian/patches/CVE-2009-0737.patch
    - patch based on Debian patch
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514547
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html

 -- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 09:55:33 +0100

Changed in mediawiki:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.