[Pkg-mediawiki-devel] Bug#590660: mediawiki: Private data leakage in MW >= 1.8

Jonathan Wiltshire debian at jwiltshire.org.uk
Wed Jul 28 08:15:56 UTC 2010 

Package: mediawiki
Version: 1:1.12.0-2lenny5
Severity: grave
Tags: security upstream
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html:

A data leakage vulnerability was discovered, affecting MediaWiki 1.8
and later. Public caching headers were incorrectly set on API
responses containing private data. By means of a CSRF-style attack,
this can lead to the disclosure of various types of private data
stored on a wiki. All users are advised to upgrade.


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mediawiki depends on:
ii  apache2                       2.2.16-1   Apache HTTP Server metapackage
ii  apache2-mpm-prefork [httpd]   2.2.16-1   Apache HTTP Server - traditional n
ii  debconf [debconf-2.0]         1.5.33     Debian configuration management sy
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap
ii  php5                          5.3.2-2    server-side, HTML-embedded scripti
ii  php5-mysql                    5.3.2-2    MySQL module for php5
ii  php5-pgsql                    5.3.2-2    PostgreSQL module for php5

Versions of packages mediawiki recommends:
ii  mysql-server                  5.1.48-1   MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-serve 5.1.48-1   MySQL database server binaries and
ii  php5-cli                      5.3.2-2    command-line interpreter for the p

Versions of packages mediawiki suggests:
ii  clamav                     0.96.1+dfsg-3 anti-virus utility for Unix - comm
ii  imagemagick                7:6.6.2.6-1   image manipulation programs
pn  mediawiki-math             <none>        (no description available)
pn  memcached                  <none>        (no description available)
ii  php5-gd                    5.3.2-2       GD module for php5

- -- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMT+c6AAoJEFOUR53TUkxRll0QAJxjjAQv/S4233W8cQh+lRbd
w9ybix7gW9ZzyXNTgfGPMpmlzZakxCUX4/hmH6K5xTUFOJgxyULm8n5wiRqQZc5n
kKcNzhk3zyM7Nyo9PiGL6QS1g1jOCVTjTktzjLUwLS4J7B1Kx3GzfncmBDsCyl5d
L4EZd6NqMYLUECrDwYgnWXdmEtL1Z77GiNdNPPgFS1Xy+mJ1B3BZa7fs7pYeJXPg
qkg0+WFYaGk0fuTsAgOWd1mLLQqRZe2N+26hZHsp6O+1FjS4Nsn1o/WJ16AS2hrB
uM/A1C4J2WiVEGrrIyNq5ZizSCI0WVU4bW49qF7pdVRY9BhAGQBM428G7evOJoyt
80Uk2Qj48zOnKJ3oUBKaiOWyXMv+yVQAQfpb6kGOsXKeA8MoGZ69D/g+zL+R8R/X
l4Yq4oNmh+8VvklvJOw33oyI/kKCgfgbxsZRXcUzhBpEx0WNxTXWj3K+agj8tLoy
nRYxp2Y8n2vKczXka9oXjEaACb/SjKtliMJRF44jiKBxmjWGOsKplRpGdSks5hTQ
2tIjJzv3eoiU4zkOIkMYGmc1XeiW/MkSZjG2D5NauP7QpXjDW0Uiao2cw0dIcmQe
+8p+G82ureAnIxhaV/DIwF6fkuD/H3Wg6jAI+Y2hkK+60TZIXP2M6RJhFUK8xIGv
TKc9Djoilcdg04sOYK9X
=UzXk
-----END PGP SIGNATURE-----

More information about the Pkg-mediawiki-devel mailing list