Bug 620226 - CVE-2010-2787 CVE-2010-2788 mediawiki various flaws [fedora-all]
CVE-2010-2787 CVE-2010-2788 mediawiki various flaws [fedora-all]
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mediawiki (Show other bugs)
13
All Linux
low Severity low
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: CVE-2010-2787 CVE-2010-2788
  Show dependency treegraph
 
Reported: 2010-08-01 12:23 EDT by Jan Lieskovsky
Modified: 2011-04-30 19:26 EDT (History)
1 user (show)

See Also:
Fixed In Version: mediawiki-1.16.4-58.fc13
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-21 01:28:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-08-01 12:23:16 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=620224

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]
Comment 1 Jan Lieskovsky 2010-08-01 12:23:34 EDT
    Adding parent bug CVE-2010-2788
    New bodhi update url:
    https://admin.fedoraproject.org/updates/new/?type_=security&bugs=620224,620225
Comment 2 Axel Thimm 2011-04-05 16:24:03 EDT
There are still no details on the nature of these CVEs in neither mitre nor nvd. The status in mitre is "reserved, under review" and nvd return an error on these CVEs.
Comment 3 Jan Lieskovsky 2011-04-06 06:06:50 EDT
Hi Axel,

  thank you for checking with us.

(In reply to comment #2)
> There are still no details on the nature of these CVEs in neither mitre nor
> nvd. The status in mitre is "reserved, under review" and nvd return an error on
> these CVEs.

Below is the copy of the email / query I sent to Tim Starling regarding
patches clarification (you were Cc-ed):
=======================================

Hello Tim,

  based on query from Axel below:
  "There are still no details on the nature of these CVEs in neither mitre nor
   nvd. The status in mitre is "reserved, under review" and nvd return an error
   on these CVEs."

searched for patches for the following two mediawiki flaws:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=620224
[2] https://bugzilla.redhat.com/show_bug.cgi?id=620225

in the Mediawiki upstream SVN repository:
[3] http://www.mediawiki.org/wiki/Download_from_SVN

and based on the log found the following:
1), the upstream patch for CVE-2010-2787 seems to be the following:
    [4] http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69776
2), and upstream patches for CVE-2010-2788 seem to be the following two:
    [5] http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69952 and
    [6] http://svn.wikimedia.org/viewvc/mediawiki?view=revision&revision=69984

But prior providing this information to Axel, so he could build the Fedora
mediawiki updates, wanted to check with you.

Tim, could you please confirm, the [4], [5], and [6] are the correct upstream
Mediawiki patches for CVE-2010-2787 and CVE-2010-2788 flaws, so Axel could
build the updates?

Thank you in advance for your time, look and cooperation.

Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team 

=======================================

Hope this helps, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 4 Fedora Update System 2011-04-09 15:20:43 EDT
mediawiki-1.16.2-56.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc14
Comment 5 Fedora Update System 2011-04-09 15:20:43 EDT
mediawiki-1.16.2-56.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc13
Comment 6 Fedora Update System 2011-04-09 15:20:46 EDT
mediawiki-1.16.2-56.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.2-56.fc15
Comment 7 Fedora Update System 2011-04-16 02:53:17 EDT
mediawiki-1.16.4-57.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc14
Comment 8 Fedora Update System 2011-04-16 02:53:58 EDT
mediawiki-1.16.4-57.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc13
Comment 9 Fedora Update System 2011-04-16 02:54:37 EDT
mediawiki-1.16.4-57.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc15
Comment 10 Fedora Update System 2011-04-16 16:54:42 EDT
Package mediawiki-1.16.4-57.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mediawiki-1.16.4-57.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-57.fc14
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-04-21 01:27:46 EDT
mediawiki-1.16.4-57.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2011-04-22 04:36:41 EDT
mediawiki-1.16.4-58.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc14
Comment 13 Fedora Update System 2011-04-22 04:37:26 EDT
mediawiki-1.16.4-58.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc13
Comment 14 Fedora Update System 2011-04-22 04:38:09 EDT
mediawiki-1.16.4-58.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/mediawiki-1.16.4-58.fc15
Comment 15 Fedora Update System 2011-04-26 12:04:01 EDT
mediawiki-1.16.4-58.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2011-04-30 19:23:38 EDT
mediawiki-1.16.4-58.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2011-04-30 19:25:25 EDT
mediawiki-1.16.4-58.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.