Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 571926 - (CVE-2010-1189, CVE-2010-1190) CVE-2010-1189 CVE-2010-1190 MediaWiki: Two security fixes in v1.15.2
CVE-2010-1189 CVE-2010-1190 MediaWiki: Two security fixes in v1.15.2
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://lists.wikimedia.org/pipermail/...
impact=moderate,source=secunia,report...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-09 15:37 EST by Jan Lieskovsky
Modified: 2010-07-06 13:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2010-03-09 15:37:57 EST 
MediaWiki upstream has released new v1.15.2 version:
  http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html

 of MediaWiki fixing two security issues (from upstream announcement):

a, "A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected."

CVE identifier of CVE-2010-1189 has been assigned to this.

--

b, "A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']."

CVE identifier of CVE-2010-1190 has been assigned to this.

Upstream patch:
  http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz

References:
  http://secunia.com/advisories/38856/

CVE Request:
  http://www.openwall.com/lists/oss-security/2010/03/09/4
Comment 1 Jan Lieskovsky 2010-03-09 15:50:14 EST 
These issues affect the versions of the mediawiki package, as shipped
with Fedora releases of 11 and 12, and as shipped within EPEL5 repo-
sitory. 

Please fix.
Comment 2 Fedora Update System 2010-04-02 17:57:53 EDT 
mediawiki-1.15.2-51.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mediawiki-1.15.2-51.fc11
Comment 3 Fedora Update System 2010-04-02 17:58:04 EDT 
mediawiki-1.15.2-51.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mediawiki-1.15.2-51.fc12
Comment 4 Fedora Update System 2010-07-06 13:22:53 EDT 
mediawiki-1.15.3-53.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.