mediawiki 1.19.3 fixes security vulnerability (CVE-2012-5391)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mediawiki (Debian) |
Fix Released
|
Unknown
|
|||
| mediawiki (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
http://
* During an internal review, it was discovered that MediaWiki core is
vulnerable to session fixation attacks. Successful exploitation could
allow an attacker to compromise another user's account. This issue
has been assigned CVE-2012-5391.
<https:/
* Wikipedia user PleaseStand discovered that a PCRE backtrack limit
could easily be exceeded, causing recent changes and history pages to
fail to display. Since these pages are often used for fighting spam
and vandalism, public wikis are encouraged to update.
<https:/
MediaWiki 1.19 is a "Long Term Support" release so it would be good if we would take their updates.
http://
ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: mediawiki 1:1.19.2-2
ProcVersionSign
Uname: Linux 3.7.0-5-generic x86_64
ApportVersion: 2.7-0ubuntu2
Architecture: amd64
Date: Thu Dec 13 12:30:11 2012
MarkForUpload: True
PackageArchitec
SourcePackage: mediawiki
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
CVE References
| Jeremy Bícha (jbicha) wrote | #1 |
| Changed in mediawiki (Ubuntu): | |
| status: | New → Fix Released |
| Jeremy Bícha (jbicha) wrote | #2 |
| Changed in mediawiki (Debian): | |
| status: | Unknown → Fix Released |
| no longer affects: | mediawiki (Ubuntu Quantal) |
Fixed in raring:
mediawiki (1:1.19.3-1) unstable; urgency=high
.
[ Dominik George ]
* Team upload
* New upstream version fixes security issues (Closes: #694998)
+ Prevent session fixation in Special:UserLogin (CVE-2012-5391)
https:/
+ Prevent linker regex from exceeding PCRE backtrack limit
https:/
.
[ Thorsten Glaser ]
* Fix spelling error in README.Debian (thanks lintian!)