[gentoo-announce] [ GLSA 201310-21 ] MediaWiki: Multiple vulnerabilities - gentoo-announce

From:	Sergey Popov <pinkbyte@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201310-21 ] MediaWiki: Multiple vulnerabilities
Date:	Mon, 28 Oct 2013 17:12:32
Message-Id:	`526E99B1.7040101@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201310-21

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: MediaWiki: Multiple vulnerabilities

9

     Date: October 28, 2013

10

     Bugs: #460352, #466124, #468110, #471140, #483594

11

       ID: 201310-21

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in MediaWiki, the worst of

19

which could lead to Denial of Service.

20

21

Background

22

==========

23

24

The MediaWiki wiki web application as used on wikipedia.org.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  www-apps/mediawiki           < 1.21.2                  >= 1.21.2

33

                                                           *>= 1.20.7

34

                                                           *>= 1.19.8

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in MediaWiki. Please

40

review the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker may be able to execute arbitrary code, perform

46

man-in-the-middle attacks, obtain sensitive information or perform

47

cross-site scripting attacks.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All MediaWiki 1.21.x users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.21.2"

61

62

All MediaWiki 1.20.x users should upgrade to the latest version:

63

64

  # emerge --sync

65

  # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.20.7"

66

67

All MediaWiki 1.19.x users should upgrade to the latest version:

68

69

  # emerge --sync

70

  # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.8"

71

72

References

73

==========

74

75

[  1 ] CVE-2013-1816

76

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1816

77

[  2 ] CVE-2013-1817

78

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1817

79

[  3 ] CVE-2013-1818

80

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1818

81

[  4 ] CVE-2013-1951

82

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1951

83

[  5 ] CVE-2013-2031

84

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2031

85

[  6 ] CVE-2013-2032

86

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2032

87

[  7 ] CVE-2013-2114

88

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2114

89

[  8 ] CVE-2013-4301

90

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4301

91

[  9 ] CVE-2013-4302

92

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4302

93

[ 10 ] CVE-2013-4303

94

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4303

95

[ 11 ] CVE-2013-4304

96

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4304

97

[ 12 ] CVE-2013-4305

98

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4305

99

[ 13 ] CVE-2013-4306

100

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4306

101

[ 14 ] CVE-2013-4307

102

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4307

103

[ 15 ] CVE-2013-4308

104

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4308

105

106

Availability

107

============

108

109

This GLSA and any updates to it are available for viewing at

110

the Gentoo Security Website:

111

112

 http://security.gentoo.org/glsa/glsa-201310-21.xml

113

114

Concerns?

115

=========

116

117

Security is a primary focus of Gentoo Linux and ensuring the

118

confidentiality and security of our users' machines is of utmost

119

importance to us. Any security concerns should be addressed to

120

security@g.o or alternatively, you may file a bug at

121

https://bugs.gentoo.org.

122

123

License

124

=======

125

126

Copyright 2013 Gentoo Foundation, Inc; referenced text

127

belongs to its owner(s).

128

129

The contents of this document are licensed under the

130

Creative Commons - Attribution / Share Alike license.

131

132

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201310-21
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: MediaWiki: Multiple vulnerabilities
9	Date: October 28, 2013
10	Bugs: #460352, #466124, #468110, #471140, #483594
11	ID: 201310-21
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in MediaWiki, the worst of
19	which could lead to Denial of Service.
20
21	Background
22	==========
23
24	The MediaWiki wiki web application as used on wikipedia.org.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 www-apps/mediawiki < 1.21.2 >= 1.21.2
33	*>= 1.20.7
34	*>= 1.19.8
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in MediaWiki. Please
40	review the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker may be able to execute arbitrary code, perform
46	man-in-the-middle attacks, obtain sensitive information or perform
47	cross-site scripting attacks.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All MediaWiki 1.21.x users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.21.2"
61
62	All MediaWiki 1.20.x users should upgrade to the latest version:
63
64	# emerge --sync
65	# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.20.7"
66
67	All MediaWiki 1.19.x users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.8"
71
72	References
73	==========
74
75	[ 1 ] CVE-2013-1816
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1816
77	[ 2 ] CVE-2013-1817
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1817
79	[ 3 ] CVE-2013-1818
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1818
81	[ 4 ] CVE-2013-1951
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1951
83	[ 5 ] CVE-2013-2031
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2031
85	[ 6 ] CVE-2013-2032
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2032
87	[ 7 ] CVE-2013-2114
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2114
89	[ 8 ] CVE-2013-4301
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4301
91	[ 9 ] CVE-2013-4302
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4302
93	[ 10 ] CVE-2013-4303
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4303
95	[ 11 ] CVE-2013-4304
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4304
97	[ 12 ] CVE-2013-4305
98	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4305
99	[ 13 ] CVE-2013-4306
100	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4306
101	[ 14 ] CVE-2013-4307
102	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4307
103	[ 15 ] CVE-2013-4308
104	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4308
105
106	Availability
107	============
108
109	This GLSA and any updates to it are available for viewing at
110	the Gentoo Security Website:
111
112	http://security.gentoo.org/glsa/glsa-201310-21.xml
113
114	Concerns?
115	=========
116
117	Security is a primary focus of Gentoo Linux and ensuring the
118	confidentiality and security of our users' machines is of utmost
119	importance to us. Any security concerns should be addressed to
120	security@g.o or alternatively, you may file a bug at
121	https://bugs.gentoo.org.
122
123	License
124	=======
125
126	Copyright 2013 Gentoo Foundation, Inc; referenced text
127	belongs to its owner(s).
128
129	The contents of this document are licensed under the
130	Creative Commons - Attribution / Share Alike license.
131
132	http://creativecommons.org/licenses/by-sa/2.5