Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Sep 2007 12:15:33 -0700 (PDT)
From:      Nick Barkas <snb@threerings.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/116519: [patch] security/vuxml update for mediawiki XSS vulnerability
Message-ID:  <20070921191533.B110361DBF@smtp.earth.threerings.net>
Resent-Message-ID: <200709211920.l8LJK106028057@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         116519
>Category:       ports
>Synopsis:       [patch] security/vuxml update for mediawiki XSS vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 21 19:20:00 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Barkas
>Release:        FreeBSD 6.2-RELEASE-p4 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:55:55 UTC 2007 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386
>Description:
All MediaWiki ports install themselves with the package name mediawiki, so the
current version of VuXML entry c9c14242-6843-11dc-82b6-02e0185f8d72 indicates
every version of MediaWiki below 1.10.2 is vulnerable to this bug. This patch
changes it so portaudit only finds 1.10 releases before 1.10.2, 1.9 releases
before 1.9.4, and 1.8 releases before 1.8.5 vulnerable. 

Note that 1.8.x is not vulnerable by default, only if the user has enabled
$wgEnableAPI. I'm not sure if the potential vulnerability in 1.8.x before 1.8.5
should be noted in this advisory or not.
>How-To-Repeat:
>Fix:
--- vuxml.patch begins here ---
--- vuln.xml.orig	Fri Sep 21 06:14:29 2007
+++ vuln.xml	Fri Sep 21 12:01:59 2007
@@ -39,11 +39,9 @@
     <affects>
       <package>
 	<name>mediawiki</name>
-	<range><lt>1.10.2</lt></range>
-      </package>
-      <package>
-	<name>mediawiki19</name>
-	<range><lt>1.9.4</lt></range>
+	<range><ge>1.10.0</ge><lt>1.10.2</lt></range>
+	<range><ge>1.9.0</ge><lt>1.9.4</lt></range>
+	<range><ge>1.8.0</ge><lt>1.8.5</lt></range>
       </package>
     </affects>
     <description>
@@ -67,6 +65,7 @@
     <dates>
       <discovery>2007-09-10</discovery>
       <entry>2007-09-21</entry>
+      <modified>2007-09-21</modified>
     </dates>
   </vuln>
 
--- vuxml.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070921191533.B110361DBF>