Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities
Date: Sat, 07 Feb 2015 17:53:48
Message-Id: 54D64B6E.8050507@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201502-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: MediaWiki: Multiple vulnerabilities
9 Date: February 07, 2015
10 Bugs: #498064, #499632, #503012, #506018, #515138, #518608,
11 #523852, #524364, #532920
12 ID: 201502-04
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in MediaWiki, the worst of
20 which may allow remote attackers to execute arbitrary code.
21
22 Background
23 ==========
24
25 MediaWiki is a collaborative editing software used by large projects
26 such as Wikipedia.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 www-apps/mediawiki < 1.23.8 >= 1.23.8
35 *>= 1.22.15
36 *>= 1.19.23
37
38 Description
39 ===========
40
41 Multiple vulnerabilities have been discovered in MediaWiki. Please
42 review the CVE identifiers and MediaWiki announcement referenced below
43 for details.
44
45 Impact
46 ======
47
48 A remote attacker may be able to execute arbitrary code with the
49 privileges of the process, create a Denial of Service condition, obtain
50 sensitive information, bypass security restrictions, and inject
51 arbitrary web script or HTML.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All MediaWiki 1.23 users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.8"
65
66 All MediaWiki 1.22 users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.22.15"
70
71 All MediaWiki 1.19 users should upgrade to the latest version:
72
73 # emerge --sync
74 # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.23"
75
76 References
77 ==========
78
79 [ 1 ] CVE-2013-6451
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6451
81 [ 2 ] CVE-2013-6452
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452
83 [ 3 ] CVE-2013-6453
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453
85 [ 4 ] CVE-2013-6454
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454
87 [ 5 ] CVE-2013-6472
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472
89 [ 6 ] CVE-2014-1610
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1610
91 [ 7 ] CVE-2014-2242
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242
93 [ 8 ] CVE-2014-2243
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243
95 [ 9 ] CVE-2014-2244
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244
97 [ 10 ] CVE-2014-2665
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665
99 [ 11 ] CVE-2014-2853
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853
101 [ 12 ] CVE-2014-5241
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241
103 [ 13 ] CVE-2014-5242
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242
105 [ 14 ] CVE-2014-5243
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243
107 [ 15 ] CVE-2014-7199
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7199
109 [ 16 ] CVE-2014-7295
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7295
111 [ 17 ] CVE-2014-9276
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276
113 [ 18 ] CVE-2014-9277
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277
115 [ 19 ] CVE-2014-9475
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475
117 [ 20 ] CVE-2014-9476
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476
119 [ 21 ] CVE-2014-9477
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9477
121 [ 22 ] CVE-2014-9478
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9478
123 [ 23 ] CVE-2014-9479
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9479
125 [ 24 ] CVE-2014-9480
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9480
127 [ 25 ] CVE-2014-9481
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9481
129 [ 26 ] CVE-2014-9487
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9487
131 [ 27 ] CVE-2014-9507
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507
133 [ 28 ] MediaWiki Security and Maintenance Releases: 1.19.17, 1.21.11,
134 1.22.8 and 1.23.1
135
136 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html
137
138 Availability
139 ============
140
141 This GLSA and any updates to it are available for viewing at
142 the Gentoo Security Website:
143
144 http://security.gentoo.org/glsa/glsa-201502-04.xml
145
146 Concerns?
147 =========
148
149 Security is a primary focus of Gentoo Linux and ensuring the
150 confidentiality and security of our users' machines is of utmost
151 importance to us. Any security concerns should be addressed to
152 security@g.o or alternatively, you may file a bug at
153 https://bugs.gentoo.org.
154
155 License
156 =======
157
158 Copyright 2015 Gentoo Foundation, Inc; referenced text
159 belongs to its owner(s).
160
161 The contents of this document are licensed under the
162 Creative Commons - Attribution / Share Alike license.
163
164 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups