Bug 1071136 (CVE-2014-2243)

Summary: CVE-2014-2243 mediawiki: timing attack on token
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, gwync, ian, mike, puiterwijk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mediawiki 1.22.3, mediawiki 1.21.6, mediawiki 1.19.12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:41:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1071142, 1071143, 1071157    
Bug Blocks:    

Description Murray McAllister 2014-02-28 06:58:49 UTC
The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes:

* (bug 61346) SECURITY: Make token comparison use constant time. It seems like
  our token comparison would be vulnerable to timing attacks. This will take
  constant time.

The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not tested EPEL 5.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z

Comment 1 Murray McAllister 2014-02-28 07:08:13 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1071142]

Comment 2 Murray McAllister 2014-02-28 07:08:17 UTC
Created mediawiki119 tracking bugs for this issue:

Affects: epel-6 [bug 1071143]

Comment 3 Murray McAllister 2014-02-28 07:20:20 UTC
Created mediawiki tracking bugs for this issue:

Affects: epel-5 [bug 1071157]

Comment 4 Murray McAllister 2014-02-28 07:26:47 UTC
CVE request: http://www.openwall.com/lists/oss-security/2014/02/28/1

Comment 5 Murray McAllister 2014-03-03 02:06:13 UTC
MITRE assigned CVE-2014-2243 to this issue: http://www.openwall.com/lists/oss-security/2014/03/01/2

Comment 6 Fedora Update System 2014-03-11 04:08:41 UTC
mediawiki-1.21.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-03-11 04:14:54 UTC
mediawiki-1.21.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-04-04 20:30:38 UTC
mediawiki119-1.19.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.