mediawiki: CVE-2013-7444 CVE-2015-6727 CVE-2015-6728 CVE-2015-6730

Debian Bug report logs - #799096
mediawiki: CVE-2013-7444 CVE-2015-6727 CVE-2015-6728 CVE-2015-6730

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mediawiki: CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Date: Tue, 15 Sep 2015 22:10:48 +0200

Source: mediawiki
Version: 1:1.19.5-1
Severity: important
Tags: security upstream

Hi,

the following vulnerabilities were published for mediawiki.

CVE-2015-6727[0]:
| The Special:DeletedContributions page in MediaWiki before 1.23.10,
| 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers
| to determine if an IP is autoblocked via the "Change block" text.

CVE-2015-6728[1]:
| The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10,
| 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token
| comparison in constant time, which allows remote attackers to guess
| the watchlist token and bypass CSRF protection via a timing attack.

CVE-2015-6729[2]:
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
| before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
| remote attackers to inject arbitrary web script or HTML via the rel404
| parameter, which is not properly handled in an error page.

CVE-2015-6730[3]:
| Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
| before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
| remote attackers to inject arbitrary web script or HTML via the f
| parameter, which is not properly handled in an error page, related to
| "ForeignAPI images."

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-6727
[1] https://security-tracker.debian.org/tracker/CVE-2015-6728
[2] https://security-tracker.debian.org/tracker/CVE-2015-6729
[3] https://security-tracker.debian.org/tracker/CVE-2015-6730

Regards,
Salvatore

Message #10 received at 799096@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 799096@bugs.debian.org

Subject: Re: Bug#799096: mediawiki: CVE-2013-7444 CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Date: Tue, 15 Sep 2015 22:17:38 +0200

Control: retitle -1 mediawiki: CVE-2013-7444 CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Hi

I forgot to include CVE-2013-7444 in the bugreport, see
https://security-tracker.debian.org/tracker/CVE-2013-7444 for details.

Regards,
Salvatore

Message #17 received at 799096@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: 799096@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#799096: mediawiki: CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Date: Wed, 16 Sep 2015 15:17:09 +0200 (CEST)

On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote:

> CVE-2015-6730[3]:
> | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
> | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
> | remote attackers to inject arbitrary web script or HTML via the f
> | parameter, which is not properly handled in an error page, related to
> | "ForeignAPI images."

Judging from https://phabricator.wikimedia.org/T97391#1242481
and the last messages in the bugreport, and the lack of mention
of this in the git log for the various supported branches, I
believe that this particular CVE is still unfixed upstream.

Found diffs for the other three, though…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Message #22 received at 799096@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: 799096@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#799096: mediawiki: CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Date: Wed, 16 Sep 2015 15:31:31 +0200 (CEST)

On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote:

> CVE-2015-6729[2]:
> | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
> | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
> | remote attackers to inject arbitrary web script or HTML via the rel404
> | parameter, which is not properly handled in an error page.

1.19 is not vulnerable against this as it never echos the passed string.
This was added e.g. in commit a04d9cb7487773e102285de13b7092a2bc9b6821
first released in 1.21.0 according to 'git tag --contains'.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Message #27 received at 799096@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thorsten Glaser <t.glaser@tarent.de>, 799096@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#799096: mediawiki: CVE-2015-6727 CVE-2015-6728 CVE-2015-6729 CVE-2015-6730

Date: Wed, 16 Sep 2015 17:33:57 +0200

Control: retitle -1 CVE-2015-6727 CVE-2015-6728 CVE-2015-6730

Hi Thorsten,

On Wed, Sep 16, 2015 at 03:31:31PM +0200, Thorsten Glaser wrote:
> On Tue, 15 Sep 2015, Salvatore Bonaccorso wrote:
> 
> > CVE-2015-6729[2]:
> > | Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki
> > | before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows
> > | remote attackers to inject arbitrary web script or HTML via the rel404
> > | parameter, which is not properly handled in an error page.
> 
> 1.19 is not vulnerable against this as it never echos the passed string.
> This was added e.g. in commit a04d9cb7487773e102285de13b7092a2bc9b6821
> first released in 1.21.0 according to 'git tag --contains'.

Thanks for the correction. I have now updated the security-tracker, so
should reflect correct status soon.

Regards,
Salvatore

Message #36 received at 799096-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 384719-done@bugs.debian.org,454235-done@bugs.debian.org,467026-done@bugs.debian.org,513903-done@bugs.debian.org,517237-done@bugs.debian.org,526265-done@bugs.debian.org,555822-done@bugs.debian.org,570535-done@bugs.debian.org,625911-done@bugs.debian.org,668601-done@bugs.debian.org,681184-done@bugs.debian.org,691321-done@bugs.debian.org,698617-done@bugs.debian.org,706368-done@bugs.debian.org,728347-done@bugs.debian.org,729498-done@bugs.debian.org,737323-done@bugs.debian.org,781974-done@bugs.debian.org,783503-done@bugs.debian.org,799096-done@bugs.debian.org,

Cc: mediawiki@packages.debian.org, mediawiki@packages.qa.debian.org

Subject: Bug#805588: Removed package(s) from unstable

Date: Fri, 18 Dec 2015 13:26:12 +0000

Version: 1:1.19.20+dfsg-2.3+rm

Dear submitter,

as the package mediawiki has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/805588

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.