Re: [SECURITY] [DSA 2891-1] mediawiki security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 2891-1] mediawiki security update
From: Stephen Frost <sfrost@snowman.net>
Date: Sun, 30 Mar 2014 09:38:55 -0400
Message-id: <[🔎] 20140330133855.GZ4582@tamriel.snowman.net>
In-reply-to: <20140330092539.7BA7259A04@kinkhorst.com>
References: <20140330092539.7BA7259A04@kinkhorst.com>

Debian-security,

  Looks like this update was botched a bit.  Specifically, the results
  of an update break a mediawiki site because files go missing.  Looks
  like those files were, in unstable, moved from the 'mediawiki' package
  into the 'mediawiki-classes' package, but that package is not in
  stable.

  Installing 'mediawiki-classes' from unstable appears to address this
  issue, but that's obviously less than ideal.

  Can -security please do an update to address those missing files (ie-
  put them back into the mediawiki package..)?  Or add mediawiki-classes
  to stable and then depend upon it?

  Errors seen while working this issue:

2014-03-30 13:27:10: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning:  require(/var/lib/mediawiki/includes/libs/HttpStatus.php): failed to open stream: No such file or directory in /usr/share/mediawiki/includes/AutoLoader.php on line 1009
PHP Fatal error:  require(): Failed opening required '/var/lib/mediawiki/includes/libs/HttpStatus.php' (include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear') in /usr/share/mediawiki/includes/AutoLoader.php on line 1009

2014-03-30 13:28:40: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning:  require(/var/lib/mediawiki/includes/libs/IEUrlExtension.php): failed to open stream: No such file or directory in /usr/share/mediawiki/includes/AutoLoader.php on line 1009
PHP Fatal error:  require(): Failed opening required '/var/lib/mediawiki/includes/libs/IEUrlExtension.php' (include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear') in /usr/share/mediawiki/includes/AutoLoader.php on line 1009

	Thanks!

		Stephen

* Thijs Kinkhorst (thijs@debian.org) wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-2891-1                   security@debian.org
> http://www.debian.org/security/                           Thijs Kinkhorst
> March 30, 2014                         http://www.debian.org/security/faq
> -------------------------------------------------------------------------
> 
> Package        : mediawiki, mediawiki-extensions
> CVE ID         : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 
>                  CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472
>                  CVE-2014-1610
> Debian Bug     : 729629 706601 742857 742857
> 
> Several vulnerabilities were discovered in MediaWiki, a wiki engine.
> The Common Vulnerabilities and Exposures project describers the followin
> issues:
> 
> CVE-2013-2031
> 
>     Cross-site scripting attack via valid UTF-7 encoded sequences
>     in a SVG file.
> 
> CVE-2013-4567 & CVE-2013-4568
> 
>     Kevin Israel (Wikipedia user PleaseStand) reported two ways
>     to inject Javascript due to an incomplete blacklist in the
>     CSS sanitizer function.
> 
> CVE-2013-4572
> 
>     MediaWiki and the CentralNotice extension were incorrectly setting
>     cache headers when a user was autocreated, causing the user's
>     session cookies to be cached, and returned to other users.
> 
> CVE-2013-6452
> 
>     Chris from RationalWiki reported that SVG files could be
>     uploaded that include external stylesheets, which could lead to
>     XSS when an XSL was used to include JavaScript.
> 
> CVE-2013-6453
> 
>     MediaWiki's SVG sanitization could be bypassed when the XML was
>     considered invalid.
> 
> CVE-2013-6454
> 
>     MediaWiki's CSS sanitization did not filter -o-link attributes,
>     which could be used to execute JavaScript in Opera 12.
> 
> CVE-2013-6472
> 
>     MediaWiki displayed some information about deleted pages in
>     the log API, enhanced RecentChanges, and user watchlists.
> 
> CVE-2014-1610
> 
>     A remote code execution vulnerability existed if file upload
>     support for DjVu (natively handled) or PDF files (in
>     combination with the PdfHandler extension) was enabled.
>     Neither file type is enabled by default in MediaWiki.
> 
> (ID assignment pending)
> 
>     Cross site request forgery in login form: an attacker could login
>     a victim as the attacker.
> 
> For the stable distribution (wheezy), these problems have been fixed in
> version 1.19.14+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u1
> of the mediawiki-extensions package.
> 
> For the unstable distribution (sid), these problems have been fixed in
> version 1:1.19.14+dfsg-1 of the mediawiki package and 3.5 of the
> mediawiki-extensions package.
> 
> We recommend that you upgrade your mediawiki packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/20140330092539.7BA7259A04@kinkhorst.com

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: [SECURITY] [DSA 2890-1] libspring-java security update
Next by Date: openjdk-6 6b30-1.13.2 update
Previous by thread: Re: [SECURITY] [DSA 2890-1] libspring-java security update
Next by thread: openjdk-6 6b30-1.13.2 update
Index(es):
- Date
- Thread