ASA-201711-20 generated external raw

[ASA-201711-20] mediawiki: multiple issues
Arch Linux Security Advisory ASA-201711-20 ========================================== Severity: High Date : 2017-11-15 CVE-ID : CVE-2017-0361 CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815 Package : mediawiki Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-490 Summary ======= The package mediawiki before version 1.29.2-1 is vulnerable to multiple issues including cross-site scripting, information disclosure, url request injection and insufficient validation. Resolution ========== Upgrade to 1.29.2-1. # pacman -Syu "mediawiki>=1.29.2-1" The problems have been fixed upstream in version 1.29.2. Workaround ========== None. Description =========== - CVE-2017-0361 (information disclosure) MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs. - CVE-2017-8808 (cross-site scripting) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. - CVE-2017-8809 (url request injection) api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. - CVE-2017-8810 (information disclosure) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. - CVE-2017-8811 (cross-site scripting) The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. - CVE-2017-8812 (insufficient validation) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. - CVE-2017-8814 (cross-site scripting) The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." - CVE-2017-8815 (cross-site scripting) The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. Impact ====== A remote attacker is able to perform a cross-side scripting attack by injecting javascript into the site, disclose information or perform a reflected file download attack. References ========== https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html https://phabricator.wikimedia.org/T125177 https://phabricator.wikimedia.org/T180488 https://github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6aed047f7418a2 https://github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff4a90b214034 https://phabricator.wikimedia.org/T178451 https://github.com/wikimedia/mediawiki/commit/1713ddeff12b263fb7634796dc029d3fe26ade41 https://phabricator.wikimedia.org/T128209 https://github.com/wikimedia/mediawiki/commit/9bf2c01ea238d0e71c56bad7341c89345855bd5d https://phabricator.wikimedia.org/T134100 https://github.com/wikimedia/mediawiki/commit/e7ea90509c73c60b665b8f63e3bb95b1adfec78c https://phabricator.wikimedia.org/T176247 https://github.com/wikimedia/mediawiki/commit/410c00a9ae92411d3d1568e84c4aa2579a577635 https://phabricator.wikimedia.org/T125163 https://github.com/wikimedia/mediawiki/commit/31041e4557c2f4b96ef0a16e44bf6be5566a9ffb https://phabricator.wikimedia.org/T124404 https://github.com/wikimedia/mediawiki/commit/fbe78cfa094645b907d0fd2885c5797321f794eb https://phabricator.wikimedia.org/T119158 https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a9478268cbd3 https://security.archlinux.org/CVE-2017-0361 https://security.archlinux.org/CVE-2017-8808 https://security.archlinux.org/CVE-2017-8809 https://security.archlinux.org/CVE-2017-8810 https://security.archlinux.org/CVE-2017-8811 https://security.archlinux.org/CVE-2017-8812 https://security.archlinux.org/CVE-2017-8814 https://security.archlinux.org/CVE-2017-8815