Advisories ยป MGASA-2014-0113

Updated mediawiki packages fix security vulnerabilities

Publication date: 02 Mar 2014
Modification date: 02 Mar 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-6451 , CVE-2013-6452 , CVE-2013-6453 , CVE-2013-6472 , CVE-2014-1610

Description

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed
insertion of escaped CSS values which could pass the CSS validation checks,
resulting in XSS (CVE-2013-6451).

Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to include JavaScript (CVE-2013-6452).

During internal review, it was discovered that MediaWiki's SVG sanitization
could be bypassed when the XML was considered invalid (CVE-2013-6453).

During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists (CVE-2013-6472).

Netanel Rubin from Check Point discovered a remote code execution
vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
review also discovered similar logic in the PdfHandler extension, which
could be exploited in a similar way (CVE-2014-1610).

MediaWiki has been updated to version 1.22.2, which fixes these issues, as
well as several others.

Also, the mediawiki-ldapauthentication and mediawiki-math extensions have
been updated to newer versions that are compatible with MediaWiki 1.22.

Additionally, the mediawiki-graphviz extension has been obsoleted, due to
the fact that it is unmaintained upstream and is vulnerable to cross-site
scripting attacks.

Note: if you were using the "instances" feature in these packages to
support multiple wiki instances, this feature has now been removed.  You
will need to maintain separate wiki instances manually.
                

References

SRPMS

3/core

4/core