[Pkg-mediawiki-devel] Bug#508869: Bug#508870: mediawiki: NMU to fix CVE-2008-5249, CVE-2008-5250, CVE-2008-5252

Romain Beauxis toots at rastageeks.org
Sun Jan 18 20:55:46 UTC 2009

Le Sunday 18 January 2009 12:17:01 Giuseppe Iuculano, vous avez écrit :
> Hi,

	Hi !

> the attacked debdiff is for a proposed NMU to fix CVE-2008-5249,
> CVE-2008-5250, CVE-2008-5252 in lenny. (Backported from mediawiki 1.12.3)

Many thanks for this patch and your work !

I have build a fixed package and tested it, it works ok. Also, the changes 
looks clean from the packaging point.

However, I won't comment on the content of the patch, I don't have enough time 
for that. I hope someone else can help reviewing it.


> mediawiki (1:1.12.0-2lenny2) testing-security; urgency=high
>   * Security update, NMU to fix fix CVE-2008-5249, CVE-2008-5250,
> CVE-2008-5252 *
> debian/patches/CVE-2008-5249_CVE-2008-5250_CVE-2008-5252.patch: - Fixed
> output escaping for reporting of non-MediaWiki exceptions. Potential XSS if
> an extension throws one of these with user input. - Avoid fatal error in
> profileinfo.php when not configured.
>     - Fixed CSRF vulnerability in Special:Import. Fixed input validation in
>       transwiki import feature.
>     - Add a .htaccess to deleted images directory for additional protection
>       against exposure of deleted files with known SHA-1 hashes on default
>       installations.
>     - Fixed XSS vulnerability for Internet Explorer clients, via file
> uploads which are interpreted by IE as HTML.
>     - Fixed XSS vulnerability for clients with SVG scripting, on wikis
> where SVG uploads are enabled. Firefox 1.5+ is affected.
>     - Avoid streaming uploaded files to the user via index.php. This allows
>       security-conscious users to serve uploaded files via a different
> domain, and thus client-side scripts executed from that domain cannot
> access the login cookies. Affects Special:Undelete, img_auth.php and
> thumb.php. - When streaming files via index.php, use the MIME type detected
> from the file extension, not from the data. This reduces the XSS attack
> surface. - Blacklist redirects via Special:Filepath. Such redirects
> exacerbate any XSS vulnerabilities involving uploads of files containing
> scripts. Closes: #508869, #508870
>  -- Giuseppe Iuculano <giuseppe at iuculano.it>  Sun, 18 Jan 2009 11:54:02
> +0100
> Cheers,
> Giuseppe

More information about the Pkg-mediawiki-devel mailing list