Debian Bug report logs -
#742857
mediawiki: login CSRF in Special:ChangePassword
Reported by: Henri Salo <henri@nerv.fi>
Date: Fri, 28 Mar 2014 07:03:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version mediawiki/1:1.19.13+dfsg-1
Fixed in versions mediawiki/1:1.19.14+dfsg-1, mediawiki/1:1.19.14+dfsg-0+deb7u1
Done: Thorsten Glaser <tg@mirbsd.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#742857; Package mediawiki.
(Fri, 28 Mar 2014 07:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Fri, 28 Mar 2014 07:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mediawiki
Version: 1:1.19.13+dfsg-1
Severity: important
Tags: security, fixed-upstream
https://bugzilla.wikimedia.org/show_bug.cgi?id=62497
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html
Patch: https://gerrit.wikimedia.org/r/#/c/121517/1/includes/specials/SpecialChangePassword.php
CVE request: http://www.openwall.com/lists/oss-security/2014/03/28/1
I have not verified this issue and I have not tested this in stable. Please ask
if you need help.
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Mar 2014 07:48:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>:
Bug#742857; Package mediawiki.
(Fri, 28 Mar 2014 08:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thorsten Glaser <t.glaser@tarent.de>:
Extra info received and forwarded to list. Copy sent to Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>.
(Fri, 28 Mar 2014 08:39:04 GMT) (full text, mbox, link).
Message #12 received at 742857@bugs.debian.org (full text, mbox, reply):
On Fri, 28 Mar 2014, Thijs Kinkhorst wrote:
> make much sense to release it now that a new issue has been published. Can you
> make updated packages that include the CSRF fix? We will then make an effort
> to process them as soon as possible.
OK, thanks. I’m on it.
bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Reply sent
to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility.
(Fri, 28 Mar 2014 09:24:14 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Fri, 28 Mar 2014 09:24:14 GMT) (full text, mbox, link).
Message #17 received at 742857-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.14+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Fri, 28 Mar 2014 09:56:29 +0100
Source: mediawiki
Binary: mediawiki mediawiki-classes
Architecture: source all
Version: 1:1.19.14+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
mediawiki - website engine for collaborative work
mediawiki-classes - website engine for collaborative work - standalone classes
Closes: 742857
Changes:
mediawiki (1:1.19.14+dfsg-1) unstable; urgency=medium
.
* New upstream security fix release (Closes: #742857):
- (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
- (bug 62467) Set a title for the context during import on the cli
* Use upstream-provided signing key bundle
Checksums-Sha1:
7da3db690f18bab9bbc47e3910d7bf7ec04acf36 2195 mediawiki_1.19.14+dfsg-1.dsc
67861a47e0efa62acef52afa6847801d3902f686 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
a8a86045617eaf17cfe9d57a4a5eaf4af342fee9 59520 mediawiki_1.19.14+dfsg-1.debian.tar.xz
3c055b0bbb4e90ce426bdde8a291c1491703b790 11881060 mediawiki_1.19.14+dfsg-1_all.deb
9d1c71eb7bfd7ebf235c90c40dfc7dcd9f644db5 237710 mediawiki-classes_1.19.14+dfsg-1_all.deb
Checksums-Sha256:
511f502529f6e0510bd31a57b5f482f3195dd6e374669b6dcc0472bc2ebdea9b 2195 mediawiki_1.19.14+dfsg-1.dsc
01d6a757612728a753522de792187069dd9ebded0066357b0cb0fab517f38d50 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
7052343d151199e329e8e0acdde3758f09dc4ca23332fbb10693cc42d0d209a4 59520 mediawiki_1.19.14+dfsg-1.debian.tar.xz
8532b266784892b79cb6a32f3ab68f2ea7e8bac660ceda62e79004034020670b 11881060 mediawiki_1.19.14+dfsg-1_all.deb
71455bade376b02546bbd672315c18e3475a79ba3983fd7184abbb1fc303e958 237710 mediawiki-classes_1.19.14+dfsg-1_all.deb
Files:
fa44feabc442e16fbdde826f9245b221 2195 web optional mediawiki_1.19.14+dfsg-1.dsc
100c399d3701f16e718c42db502d18da 12190640 web optional mediawiki_1.19.14+dfsg.orig.tar.xz
60ddf5b5f8b3719e8dfc005ad97a1f88 59520 web optional mediawiki_1.19.14+dfsg-1.debian.tar.xz
4ab8e315d77b0ed295cf4690a236096f 11881060 web optional mediawiki_1.19.14+dfsg-1_all.deb
550c668d3eeeb9bc219c1801aadafba7 237710 web optional mediawiki-classes_1.19.14+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
iQIcBAEBCQAGBQJTNTrcAAoJEHa1NLLpkAfgvEMP/1GZ61Djl2rykDzsZGplcxUU
D0N9IPQ3AEN9g+kG/QCB8t+w8OOJxvCoR5ZbyRk7xgT7thfu/DpY86TQlk3cfaXy
t3E2JwAZZSfSFU4Rbo6vHIYLnH30O+8d04ewqe307v9GLtDyS8yl5doVY4o5Vcbj
8ksHRIltX4/qP/lRT04XzyfAuIgqy8a8YtViA6/jihcKVZ1ej7PZsEI7DiXWD2ZS
o7EM1y7j5y15dnLtHHOi7e5GH167xwUwQn/5Rq5d799bot4hvmJBBS6y8YAhL+8W
YRt/q38IFkt7uJa0+jxPhGody8glcsbOnTJ0Mc2bXSnZUlDAovMd7IX8grZWm2tK
bZwMSnhf1qtqrH9RmEj+fSwGIzMrZuo8DUCPApJFlFIzRpy/iMu6S2LtlnwlufJO
hklh+5gKUMOKx2enSgoQwxsQB9rYQyL9uMxCUocwVECtDU63fJYQzri6OfD4Elap
2CKAFOG/oVKGQtVpFoRK+jSu9XYeyW0tGtAj6TALKztyzQfEXJM21EW459zS77XH
s1khgUZExB9b+bYebaikhpBQQvuo2tC+ah6KrL0q4tNHWS6nAa48u74QXjNL28MQ
gP2zACCWmdcQUU21LpISJ8t2GVm8AySx/Z2lemfvcXih/z0ZE02BuffzyrBbjJS5
M4Awgg0tpDM77erSj7Lj
=ezCE
-----END PGP SIGNATURE-----
Reply sent
to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility.
(Tue, 01 Apr 2014 21:21:31 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Tue, 01 Apr 2014 21:21:31 GMT) (full text, mbox, link).
Message #22 received at 742857-close@bugs.debian.org (full text, mbox, reply):
Source: mediawiki
Source-Version: 1:1.19.14+dfsg-0+deb7u1
We believe that the bug you reported is fixed in the latest version of
mediawiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mediawiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Fri, 28 Mar 2014 10:36:48 +0100
Source: mediawiki
Binary: mediawiki
Architecture: source all
Version: 1:1.19.14+dfsg-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Mediawiki Maintenance Team <pkg-mediawiki-devel@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
mediawiki - website engine for collaborative work
Closes: 706601 716884 719208 729629 742857
Changes:
mediawiki (1:1.19.14+dfsg-0+deb7u1) wheezy-security; urgency=high
.
* New upstream security fix release (Closes: #742857):
- (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword
- (bug 62467) Set a title for the context during import on the cli
- (bug 61362) Don't find links in the middle of api.php links
- (bug 60771) disallow iframe and unusual namespaces in SVG
- (bug 61346) make token comparison use constant time
* Fix bugs (file permissions; superfluous COPYING files) lintian
pointed out (backported from sid)
* Backport debian/rules get-orig-source-*, debian/upstream/signing-key.asc
and debian/watch changes from sid, to prepare for sid (or experimental)
switching to MediaWiki 1.23 (in which case further updates for stable
will need to be made using this SVN branch)
.
mediawiki (1:1.19.11+dfsg-0+deb7u1) wheezy-security; urgency=high
.
[ Thorsten Glaser ]
* New upstream security fix release (Closes: #729629, #706601):
- CVE-2014-1610 (bug 60339) remote code exec in Djvu thumbnailer
- CVE-2013-4568 (bug 58088) Don't normalize U+FF3C to \ in CSS Checks
- CVE-2013-6452 (bug 57550) Disallow stylesheets in SVG Uploads
- CVE-2013-6453 (bug 58553) Return error on invalid XML for SVG Uploads
- CVE-2013-6454 (bug 58472) Disallow -o-link in styles
- CVE-2013-6472 (bug 58699) Fix RevDel log entry information leaks
- CVE-2013-4572 (bug 53032) Don't cache when a call could autocreate
- CVE-2013-4567 (bug 55332) Vertical tab allows bypassing filters
- CVE-2013-4568 (bug 55332) "expression" filtering in IE6 bypass
- SVG script filtering could be bypassed for Chrome and Firefox
clients by using an encoding that MediaWiki understood, but these
browsers interpreted as UTF-8. (CVE-2013-2031)
- Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication (CVE-2013-2032)
- (and others)
* Replace trademarked image files by self-drawn Free ones
* Secure the default images directory (Closes: #716884)
* Handle /var/lib/mediawiki/extensions/* always as symlinks, for
both core and extra extensions, with upgrade path (Closes: #719208)
* Ship files in /etc/mediawiki-extensions/extensions-available/
for extensions shipped with the mediawiki core
* Change watch file to track upstream LTS version
* debian/control: Change VCS-* URLs (unbreak; point to stable)
* Update copyright file with things noted by Paul Tagliamonte, thanks!
* Refresh one patch to make it apply cleanly against 1.19.11
.
[ Florian Weimer ]
* Add “Replaces: mediawiki-extensions-confirmedit”
Checksums-Sha1:
c2db91f2c15e1a51bcb4d174713abde1114980f3 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
67861a47e0efa62acef52afa6847801d3902f686 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
e2afb0a81af2149755a8007418b4e8a58842940f 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
c6e7957555bd63dc3117991d05227862b89a88a9 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Checksums-Sha256:
013bc9cd9aa2efcfad9cffe3e1f91778a85d546823b8badf71bbbcf3187a5ab9 2188 mediawiki_1.19.14+dfsg-0+deb7u1.dsc
01d6a757612728a753522de792187069dd9ebded0066357b0cb0fab517f38d50 12190640 mediawiki_1.19.14+dfsg.orig.tar.xz
265a8126a217faa3c5eb9b74edebbefc6479bbfa3844e793ea7f7a42729484e3 63556 mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
e0c4f8f300e441b4565eaa8b84b5d1bb9607229f856a344f88afc84b88ccb674 17894734 mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
Files:
c1ce7dbe37b2336b3713f4f3a9512a35 2188 web optional mediawiki_1.19.14+dfsg-0+deb7u1.dsc
100c399d3701f16e718c42db502d18da 12190640 web optional mediawiki_1.19.14+dfsg.orig.tar.xz
4d7e77999d9f7f0442cf4cec14ed7a48 63556 web optional mediawiki_1.19.14+dfsg-0+deb7u1.debian.tar.gz
7519221851db2c899d3854fe287d6258 17894734 web optional mediawiki_1.19.14+dfsg-0+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
iQIcBAEBCQAGBQJTNYT7AAoJEHa1NLLpkAfgIEoQAIQnqBPztnuRv4pBbaKKPm9c
eSRCBvpqlltc5aIfaDPTbCiJ5xiHbg8ZFAWYS3/GWTMwD76z+Vz9gWIuHfD7GoyW
7iMGUazfwUty5dn5ogIeq+txFHZJMgY9UbzP9/VNslV04GOx8S3mkwUqjCou4zHS
bO7VOJSl1u9AZ28SiTomTvS3C+yaMpp97bIJvJXOh+H97P0rNlGHx3k/l1wom5hh
bTcKOUTIHccI0YgDL/n0VB61nI0yBD/UvrabJnvtnxWN03l4as0iQt0SUaVD0mWh
jrFRjyTd1soZAcHQP66JhRafh4cFd7zk3Mn1m3G2A96GGV6hbDcXYmWm5yhc1Gy6
UoMMLormzR5FoNccn/viqWZL/jpQVrn4pjexuvcIKl59AOq5LXyCA4Zbaab+C3VC
Qr578eFKAuidbI6bTX2GQp8ov4ZoE3v0G5IR9G0pbhwxlZ/pFESOSw8DZFSGjNqb
5Oo0shRBClOIV5EWIszN8rQcI5tuBfEeDPR/iFs6I2XCaR1rfpa/jI3moMU+SDnT
wyVHCjw1fPvlRbNi84Th4lu2heyrtxUDjMLkCX+RgHfDPuFQP0vy93ZB0YMraM9s
pd8oi9tjP0u4uQGi1cv9BI8ts3ZafKaPMQeZv7XhP8JdXqWk3B66UtaiNwjBj14E
CJ30i7wDGCSgVQFzOUSR
=mJnl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 30 Apr 2014 07:30:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon