Home / mailings [gentoo-announce] [ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities
Posted on 07 February 2015
Gentoo-announceThis is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1rKW4s0tals7UBxRKxWFwJ9iBuu2n2iNu
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: MediaWiki: Multiple vulnerabilities
Date: February 07, 2015
Bugs: #498064, #499632, #503012, #506018, #515138, #518608,
#523852, #524364, #532920
ID: 201502-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in MediaWiki, the worst of
which may allow remote attackers to execute arbitrary code.
Background
==========
MediaWiki is a collaborative editing software used by large projects
such as Wikipedia.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/mediawiki < 1.23.8 >= 1.23.8
*>= 1.22.15
*>= 1.19.23
Description
===========
Multiple vulnerabilities have been discovered in MediaWiki. Please
review the CVE identifiers and MediaWiki announcement referenced below
for details.
Impact
======
A remote attacker may be able to execute arbitrary code with the
privileges of the process, create a Denial of Service condition, obtain
sensitive information, bypass security restrictions, and inject
arbitrary web script or HTML.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MediaWiki 1.23 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.8"
All MediaWiki 1.22 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.22.15"
All MediaWiki 1.19 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.23"
References
==========
[ 1 ] CVE-2013-6451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6451
[ 2 ] CVE-2013-6452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452
[ 3 ] CVE-2013-6453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453
[ 4 ] CVE-2013-6454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454
[ 5 ] CVE-2013-6472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472
[ 6 ] CVE-2014-1610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1610
[ 7 ] CVE-2014-2242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242
[ 8 ] CVE-2014-2243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243
[ 9 ] CVE-2014-2244
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244
[ 10 ] CVE-2014-2665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665
[ 11 ] CVE-2014-2853
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853
[ 12 ] CVE-2014-5241
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241
[ 13 ] CVE-2014-5242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242
[ 14 ] CVE-2014-5243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243
[ 15 ] CVE-2014-7199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7199
[ 16 ] CVE-2014-7295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7295
[ 17 ] CVE-2014-9276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276
[ 18 ] CVE-2014-9277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277
[ 19 ] CVE-2014-9475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475
[ 20 ] CVE-2014-9476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476
[ 21 ] CVE-2014-9477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9477
[ 22 ] CVE-2014-9478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9478
[ 23 ] CVE-2014-9479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9479
[ 24 ] CVE-2014-9480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9480
[ 25 ] CVE-2014-9481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9481
[ 26 ] CVE-2014-9487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9487
[ 27 ] CVE-2014-9507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507
[ 28 ] MediaWiki Security and Maintenance Releases: 1.19.17, 1.21.11,
1.22.8 and 1.23.1
https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155==2Ehtml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--1rKW4s0tals7UBxRKxWFwJ9iBuu2n2iNu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"