[Secure-testing-team] Bug#514547: mediawiki: new upstream release, fixes security issues in the installer

Romain Beauxis toots at rastageeks.org
Sun Feb 8 18:15:41 UTC 2009 

Package: mediawiki
Version: 1:1.12.0-2lenny3
Severity: grave
Tags: security
Justification: user security hole


	Hi all !

A new upstream release of mediawiki was done in order to fix security 
issues in the installer:

"This is a security release of 1.13.4, 1.12.4 and 1.6.12.

A number of cross-site scripting (XSS) security vulnerabilities were
discovered in the web-based installer (config/index.php). These vulnerabilities all
require a live installer -- once the installer has been used to
install a wiki, it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack
any website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used to
attack the active service.

If you are hosting an old copy of MediaWiki that you have never
installed, we advise you to remove it from the web.

Additionally, we are releasing 1.14.0rc1, the first release candidate
of the 2009 Q1 branch. Brave souls are encouraged to download it and
try it out.

Note that we have disabled SQLite installation in 1.14, due to the
incompleteness of the implementation. We intend to restore it in 1.15.
We're not sure how many people are using SQLite, so contact us if our
treatment of it is causing you problems."

I have already imported the patch in the lenny/ branch on the SVN[1], but I have absolutely 
no time to do serious testings, so any interested contributor would be much welcome :)


Romain

[1]: svn{+ssh}://svn.debian.org/svn/pkg-mediawiki/mediawiki/lenny

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mediawiki depends on:
ii  apache2-mpm-worker [httpd 2.2.11-1       Apache HTTP Server - high speed th
ii  debconf [debconf-2.0]     1.5.24         Debian configuration management sy
ii  mime-support              3.44-1         MIME files 'mime.types' & 'mailcap
ii  php5                      5.2.6.dfsg.1-2 server-side, HTML-embedded scripti
ii  php5-mysql                5.2.6.dfsg.1-2 MySQL module for php5

Versions of packages mediawiki recommends:
ii  mysql-server-5.0 [mysql-s 5.0.67-1       MySQL database server binaries
ii  php5-cli                  5.2.6.dfsg.1-2 command-line interpreter for the p

Versions of packages mediawiki suggests:
pn  clamav        <none>                     (no description available)
ii  imagemagick   7:6.3.7.9.dfsg1-2.1+lenny1 image manipulation programs
pn  mediawiki-mat <none>                     (no description available)
pn  memcached     <none>                     (no description available)

-- debconf information:
  mediawiki/webserver: apache2

More information about the Secure-testing-team mailing list