Debian-security, Looks like this update was botched a bit. Specifically, the results of an update break a mediawiki site because files go missing. Looks like those files were, in unstable, moved from the 'mediawiki' package into the 'mediawiki-classes' package, but that package is not in stable. Installing 'mediawiki-classes' from unstable appears to address this issue, but that's obviously less than ideal. Can -security please do an update to address those missing files (ie- put them back into the mediawiki package..)? Or add mediawiki-classes to stable and then depend upon it? Errors seen while working this issue: 2014-03-30 13:27:10: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning: require(/var/lib/mediawiki/includes/libs/HttpStatus.php): failed to open stream: No such file or directory in /usr/share/mediawiki/includes/AutoLoader.php on line 1009 PHP Fatal error: require(): Failed opening required '/var/lib/mediawiki/includes/libs/HttpStatus.php' (include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear') in /usr/share/mediawiki/includes/AutoLoader.php on line 1009 2014-03-30 13:28:40: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning: require(/var/lib/mediawiki/includes/libs/IEUrlExtension.php): failed to open stream: No such file or directory in /usr/share/mediawiki/includes/AutoLoader.php on line 1009 PHP Fatal error: require(): Failed opening required '/var/lib/mediawiki/includes/libs/IEUrlExtension.php' (include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear') in /usr/share/mediawiki/includes/AutoLoader.php on line 1009 Thanks! Stephen * Thijs Kinkhorst (thijs@debian.org) wrote: > ------------------------------------------------------------------------- > Debian Security Advisory DSA-2891-1 security@debian.org > http://www.debian.org/security/ Thijs Kinkhorst > March 30, 2014 http://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : mediawiki, mediawiki-extensions > CVE ID : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572 > CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472 > CVE-2014-1610 > Debian Bug : 729629 706601 742857 742857 > > Several vulnerabilities were discovered in MediaWiki, a wiki engine. > The Common Vulnerabilities and Exposures project describers the followin > issues: > > CVE-2013-2031 > > Cross-site scripting attack via valid UTF-7 encoded sequences > in a SVG file. > > CVE-2013-4567 & CVE-2013-4568 > > Kevin Israel (Wikipedia user PleaseStand) reported two ways > to inject Javascript due to an incomplete blacklist in the > CSS sanitizer function. > > CVE-2013-4572 > > MediaWiki and the CentralNotice extension were incorrectly setting > cache headers when a user was autocreated, causing the user's > session cookies to be cached, and returned to other users. > > CVE-2013-6452 > > Chris from RationalWiki reported that SVG files could be > uploaded that include external stylesheets, which could lead to > XSS when an XSL was used to include JavaScript. > > CVE-2013-6453 > > MediaWiki's SVG sanitization could be bypassed when the XML was > considered invalid. > > CVE-2013-6454 > > MediaWiki's CSS sanitization did not filter -o-link attributes, > which could be used to execute JavaScript in Opera 12. > > CVE-2013-6472 > > MediaWiki displayed some information about deleted pages in > the log API, enhanced RecentChanges, and user watchlists. > > CVE-2014-1610 > > A remote code execution vulnerability existed if file upload > support for DjVu (natively handled) or PDF files (in > combination with the PdfHandler extension) was enabled. > Neither file type is enabled by default in MediaWiki. > > (ID assignment pending) > > Cross site request forgery in login form: an attacker could login > a victim as the attacker. > > For the stable distribution (wheezy), these problems have been fixed in > version 1.19.14+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u1 > of the mediawiki-extensions package. > > For the unstable distribution (sid), these problems have been fixed in > version 1:1.19.14+dfsg-1 of the mediawiki package and 3.5 of the > mediawiki-extensions package. > > We recommend that you upgrade your mediawiki packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org > > > -- > To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: https://lists.debian.org/20140330092539.7BA7259A04@kinkhorst.com
Attachment:
signature.asc
Description: Digital signature