Ubuntu
mediawiki package

CSRF and XSS vulnerability; new version 1.15.4 released

Bug #586773 reported by Andreas Wenning
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mediawiki (Ubuntu)
Fix Released
Medium
Andreas Wenning
Hardy
Fix Released
Medium
Andreas Wenning
Jaunty
Fix Released
Medium
Andreas Wenning
Karmic
Fix Released
Medium
Andreas Wenning
Lucid
Fix Released
Medium
Andreas Wenning
Maverick
Fix Released
Medium
Andreas Wenning

Bug Description

Binary package hint: mediawiki

http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html

Two security vulnerabilities were discovered.

Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.

Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.

These vulnerabilities are serious and all users are advised to
upgrade. Remember that CSRF and XSS vulnerabilities can be used even
against firewall-protected intranet installations, as long as the
attacker can guess the URL.

Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu):
assignee: nobody → Andreas Wenning (andreas-wenning)
status: New → In Progress
Changed in mediawiki (Ubuntu Lucid):
status: New → In Progress
Changed in mediawiki (Ubuntu Karmic):
status: New → In Progress
Changed in mediawiki (Ubuntu Jaunty):
status: New → In Progress
Changed in mediawiki (Ubuntu Hardy):
status: New → In Progress
assignee: nobody → Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu Jaunty):
assignee: nobody → Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu Karmic):
assignee: nobody → Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu Lucid):
assignee: nobody → Andreas Wenning (andreas-wenning)
Andreas Wenning (andreas-wenning)
visibility: private → public
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff fixing this for lucid.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff fixing this for karmic.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff fixing this for jaunty.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff fixing this for hardy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.1-1ubuntu3

---------------
mediawiki (1:1.15.1-1ubuntu3) maverick; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:49:46 +0200

Changed in mediawiki (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

All of the have above have been successfully tested in the relevant release in a chroot.

Changed in mediawiki (Ubuntu Hardy):
status: In Progress → Confirmed
Changed in mediawiki (Ubuntu Lucid):
status: In Progress → Confirmed
Changed in mediawiki (Ubuntu Karmic):
status: In Progress → Confirmed
Changed in mediawiki (Ubuntu Jaunty):
status: In Progress → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

ACK for all releases; thanks for the debdiffs and testing. These are building now in the security queue.

Changed in mediawiki (Ubuntu Hardy):
importance: Undecided → Medium
Changed in mediawiki (Ubuntu Lucid):
importance: Undecided → Medium
Changed in mediawiki (Ubuntu Karmic):
importance: Undecided → Medium
Changed in mediawiki (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in mediawiki (Ubuntu Maverick):
importance: Undecided → Medium
Changed in mediawiki (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in mediawiki (Ubuntu Karmic):
status: Confirmed → Fix Committed
Changed in mediawiki (Ubuntu Hardy):
status: Confirmed → Fix Committed
Changed in mediawiki (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Looks like they will become CVE-2010-1647 and CVE-2010-1648 according to http://security-tracker.debian.org/tracker/source-package/mediawiki if you want to mark them in the cve-tracker.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.1-1ubuntu2.1

---------------
mediawiki (1:1.15.1-1ubuntu2.1) lucid-security; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:49:12 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.0-1.1ubuntu0.3

---------------
mediawiki (1:1.15.0-1.1ubuntu0.3) karmic-security; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:48:35 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.13.3-1ubuntu2.3

---------------
mediawiki (1:1.13.3-1ubuntu2.3) jaunty-security; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:47:42 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.11.2-2ubuntu0.6

---------------
mediawiki (1:1.11.2-2ubuntu0.6) hardy-security; urgency=low

  * SECURITY UPDATE: A CSRF vulnerability was discovered in our login
    interface. Although regular logins are protected as of 1.15.3, it was
    discovered that the account creation and password reset features were not
    protected from CSRF. This could lead to unauthorised access to private
    wikis. (LP: #586773)
    - debian/patches/CSRF-Special-Userlogin-no-CVE_rev-66991.patch
    - patch from upstream SVN rev. 66991
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
  * SECURITY UPDATE: Noncompliant CSS parsing behaviour in Internet Explorer
    allows attackers to construct CSS strings which are treated as safe by
    previous versions of MediaWiki, but are decoded to unsafe strings by
    Internet Explorer. (LP: #586773)
    - debian/patches/XSS-IE-no-CVE_rev-66992.patch
    - patch from upstream SVN rev. 66992
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
 -- Andreas Wenning <email address hidden> Mon, 31 May 2010 00:45:24 +0200

Changed in mediawiki (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in mediawiki (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in mediawiki (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in mediawiki (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.