1.15.3 security release: CSRF login vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mediawiki (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Wenning | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Intrepid |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Andreas Wenning |
Bug Description
Binary package hint: mediawiki
== From the security announcement ==
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
For more details see https:/
visibility: | private → public |
Changed in mediawiki (Ubuntu): | |
assignee: | nobody → Andreas Wenning (andreas-wenning) |
status: | New → In Progress |
Changed in mediawiki (Ubuntu Karmic): | |
status: | New → Confirmed |
Changed in mediawiki (Ubuntu Jaunty): | |
status: | New → Confirmed |
Changed in mediawiki (Ubuntu Intrepid): | |
status: | New → Confirmed |
Changed in mediawiki (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in mediawiki (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Debdiff for karmic. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches.