[gentoo-announce] [ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities

Fabricante: Gentoo
Fecha: 07/02/2015
Identificador: GLSA 201502-04
[gentoo-announce] [ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201502-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MediaWiki: Multiple vulnerabilities Date: February 07, 2015 Bugs: #498064, #499632, #503012, #506018, #515138, #518608, #523852, #524364, #532920 ID: 201502-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code. Background ========== MediaWiki is a collaborative editing software used by large projects such as Wikipedia. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/mediawiki < 1.23.8 >= 1.23.8 *>= 1.22.15 *>= 1.19.23 Description =========== Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers and MediaWiki announcement referenced below for details. Impact ====== A remote attacker may be able to execute arbitrary code with the privileges of the process, create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround ========== There is no known workaround at this time. Resolution ========== All MediaWiki 1.23 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.8" All MediaWiki 1.22 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.22.15" All MediaWiki 1.19 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.23" References ========== [ 1 ] CVE-2013-6451 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6451 [ 2 ] CVE-2013-6452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452 [ 3 ] CVE-2013-6453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453 [ 4 ] CVE-2013-6454 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454 [ 5 ] CVE-2013-6472 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472 [ 6 ] CVE-2014-1610 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1610 [ 7 ] CVE-2014-2242 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242 [ 8 ] CVE-2014-2243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243 [ 9 ] CVE-2014-2244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244 [ 10 ] CVE-2014-2665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665 [ 11 ] CVE-2014-2853 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853 [ 12 ] CVE-2014-5241 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241 [ 13 ] CVE-2014-5242 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242 [ 14 ] CVE-2014-5243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243 [ 15 ] CVE-2014-7199 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7199 [ 16 ] CVE-2014-7295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7295 [ 17 ] CVE-2014-9276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276 [ 18 ] CVE-2014-9277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277 [ 19 ] CVE-2014-9475 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475 [ 20 ] CVE-2014-9476 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476 [ 21 ] CVE-2014-9477 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9477 [ 22 ] CVE-2014-9478 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9478 [ 23 ] CVE-2014-9479 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9479 [ 24 ] CVE-2014-9480 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9480 [ 25 ] CVE-2014-9481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9481 [ 26 ] CVE-2014-9487 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9487 [ 27 ] CVE-2014-9507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507 [ 28 ] MediaWiki Security and Maintenance Releases: 1.19.17, 1.21.11, 1.22.8 and 1.23.1 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201502-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5