Re: CVE request: MediaWiki chunked uploads vulnerability

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2013 03:30 AM, Thijs Kinkhorst wrote:
> Hi,
>
> Can a CVE name be assigned for the following MediaWiki issue
> please?

Nope, see below. email me if you want to become the official mediawiki
requester.

> Thanks, Thijs
>
> ----------  Doorgestuurd bericht  ----------
>
> Onderwerp: [MediaWiki-announce] MediaWiki Security Release: 1.20.6
> and 1.19.7 Datum: dinsdag 21 mei 2013, 22:14:52 Van: Chris Steipp
> <csteipp () wikimedia org> Aan:
> mediawiki-announce () lists wikimedia org, "MediaWiki-l" <mediawiki- 
> l () lists wikimedia org>, Wikimedia developers
> <wikitech-l () lists wikimedia org>
>
> I would like to announce the release of MediaWiki 1.20.6 and
> 1.19.7. These releases fix a security related issue that could
> affect users of MediaWiki. Download links are given at the end of
> this email.
>
> * MediaWiki user Marco discovered that security checks for file 
> uploads were not being run when the file was uploaded in chunks 
> through the API. This option has been available to users who can 
> upload files since MediaWiki 1.19. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=48306>
>
> Full release notes for 1.20.6: 
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
>
> Full release notes for 1.19.7: 
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
>
> For information about how to upgrade, see 
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
>
> **********************************************************************
1.20.6
> **********************************************************************
Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz
>
>  Patch to previous version (1.20.5): 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz.sig
> Public keys: https://secure.wikimedia.org/keys.html
>
>
> **********************************************************************
1.19.7
> **********************************************************************
Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz
>
>  Patch to previous version (1.19.6): 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz.sig
> Public keys: https://secure.wikimedia.org/keys.html

Please use CVE-2013-2114 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRnxbtAAoJEBYNRVNeJnmT4lUQANETyonIDnJ7oD/DuGWsWhUU
K8VGbItSuTl0KI2rMCN3g5+EgM1K8ZZknpVI56ErWRqD4UPOm3EYwKjstMOVxjAw
w2MzjHkd2G9SDTSls3xhe+Jp8RAe0BOeYyxZpaVyvusfoisznqrVFBVacqjj1AcP
/2lS+vgRLxRWwBUkegBVbCBsJsWnefAKcugzh02GkgD98nnbNrfCESzZDQjP0LFE
v65RpIv2a4Pkj9tosEIBc3Q5aMJgxqSBtFohLG+gk0ibGf2CA84fE6S0As+TEW9m
QLUDq/zL09Bl7wbKQnOoWjIcvNRzXzQgzwXXg26VD8WJAXsHdnLC8wBggxVrqmfS
dbGFJaFn5Hv5gYdct2GVcnzQd03pnNSbHkGyZYsYgkDZqJ8F22TNy5oSKp9B9f9N
9iH+x8t860r7pvUJ6VDfz30Olx4LieXmNAvOz3pvR7gEPutWvAjOHa7Pqb6kwBAY
hR3aMa3vw2eRoUJLZPPn9bXv2hitNhLS8e/ioD0fObRDHKxLO54Ct6aVjVB/buPo
LowwCqKc2mYVeM1r8mulHoMvO3v+FbUr3BGCraFGETrScP53qedH0LH7O6mdOnhQ
/TbsnCH+Dium8p7DBug68u2crgH8wsO7LxO664oApMyJKaU1JYoFFEgxKGZH8k3m
YwVIiJ90AXVyQtKP65se
=hF8t
-----END PGP SIGNATURE-----