Ubuntu
mediawiki package

1.15.3 security release: CSRF login vulnerability

  1. Lucid (10.04)
  2. Bug #557159
Bug #557159 reported by Andreas Wenning
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mediawiki (Ubuntu)
Fix Released
Undecided
Andreas Wenning
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Andreas Wenning

Bug Description

Binary package hint: mediawiki

== From the security announcement ==
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

Andreas Wenning (andreas-wenning)
visibility: private → public
Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu):
assignee: nobody → Andreas Wenning (andreas-wenning)
status: New → In Progress
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff for karmic. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff for jaunty. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff for intrepid. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Debdiff for hardy. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches.

Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu Karmic):
status: New → Confirmed
Changed in mediawiki (Ubuntu Jaunty):
status: New → Confirmed
Changed in mediawiki (Ubuntu Intrepid):
status: New → Confirmed
Changed in mediawiki (Ubuntu Hardy):
status: New → Confirmed
Andreas Wenning (andreas-wenning)
Changed in mediawiki (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.1-1ubuntu2

---------------
mediawiki (1:1.15.1-1ubuntu2) lucid; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch from upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:46:10 +0200

Changed in mediawiki (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, thanks Andreas.

I've added the CVE number to the changelog as it is known now, and will publish the updates today.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.15.0-1.1ubuntu0.2

---------------
mediawiki (1:1.15.0-1.1ubuntu0.2) karmic-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch from upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:52:21 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.13.3-1ubuntu2.2

---------------
mediawiki (1:1.13.3-1ubuntu2.2) jaunty-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch based on upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:56:59 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.12.0-2ubuntu0.5

---------------
mediawiki (1:1.12.0-2ubuntu0.5) intrepid-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch based on upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 11:56:02 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediawiki - 1:1.11.2-2ubuntu0.5

---------------
mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low

  * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An
    attacker who controls a user account on the target wiki can force the
    victim to login as the attacker, via a script on an external website.
    IMPORTANT: Fix includes a breaking change to the API login action. Any
    clients using it will need to be updated. (LP: #557159)
    - debian/patches/CSRF-no-CVE_rev-64680.patch
    - patch based on upstream SVN rev. 64680
    - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html
    - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
    - CVE-2010-1150
 -- Andreas Wenning <email address hidden> Wed, 07 Apr 2010 12:08:55 +0200

Changed in mediawiki (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in mediawiki (Ubuntu Intrepid):
status: Confirmed → Fix Released
Changed in mediawiki (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in mediawiki (Ubuntu Karmic):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.