[Secure-testing-team] Bug#655694: mediawiki: cache poison vulnerability
Jonathan Wiltshire
jmw at debian.org
Fri Jan 13 09:38:45 UTC 2012
Package: mediawiki
Version: 1:1.15.5
Severity: important
Tags: security
CVE-2012-0046 describes a cache poison vulnerability.
Roan Kattouw discovered an issue with the API, where prop=revisions would
expose deleted text to unprivileged users through cache pollution.
Refs:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-January/000107.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=33117
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages mediawiki depends on:
ii apache2 2.2.21-5
ii apache2-mpm-prefork [httpd] 2.2.21-5
ii debconf [debconf-2.0] 1.5.41
ii mime-support 3.51-1
ii php5 5.3.8.0-1
ii php5-mysql 5.3.8.0-1+b1
ii php5-pgsql 5.3.8.0-1+b1
ii php5-sqlite 5.3.8.0-1+b1
Versions of packages mediawiki recommends:
ii mysql-server 5.1.58-1
ii mysql-server-5.1 [mysql-server] 5.1.58-1
ii php5-cli 5.3.8.0-1+b1
Versions of packages mediawiki suggests:
ii clamav 0.97.3+dfsg-2
ii imagemagick 8:6.6.9.7-5+b2
ii mediawiki-math <none>
ii memcached <none>
ii php5-gd 5.3.8.0-1+b1
-- Configuration Files:
/etc/mediawiki/apache.conf changed [not included]
-- debconf information excluded
More information about the Secure-testing-team
mailing list