CVEs for MediaWiki security and maintenance release 1.18.2

[Kurt Seifried <kseifried () redhat com>]

These issues affect Mediawiki 1.18.1 (just stating the obvious =).

> I would like to announce the release of MediaWiki 1.18.2. Five security
> issues were discovered.
>
> It was discovered that the api had a cross-site request forgery (CSRF)
> vulnerability in the block/unblock modules. It was possible for a user
> account with the block privileges to block or unblock another user without
> providing a token.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

Please use CVE-2012-1578 for this issue.


> It was discovered that the resource loader can leak certain kinds of
private
> data across domain origin boundaries, by providing the data as an
executable
> JavaScript file. In MediaWiki 1.18 and later, this includes the
leaking of CSRF
> protection tokens. This allows compromise of the wiki's user accounts,
say by
> changing the user's email address and then requesting a password reset.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Please use CVE-2012-1579 for this issue.


> Jan Schejbal of Hatforce.com discovered a cross-site request forgery
(CSRF)
> vulnerability in Special:Upload. Modern browsers (since at least as
early as
> December 2010) are able to post file uploads without user interaction,
> violating previous security assumptions within MediaWiki.
>
> Depending on the wiki's configuration, this vulnerability could lead
to further
> compromise, especially on private wikis where the set of allowed file
types is
> broader than on public wikis. Note that CSRF allows compromise of a
wiki from
> an external website even if the wiki is behind a firewall.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

Please use CVE-2012-1580 for this issue.


> George Argyros and Aggelos Kiayias reported that the method used to
generate
> password reset tokens is not sufficiently secure. Instead we use
various more
> secure random number generators, depending on what is available on the
> platform. Windows users are strongly advised to install either the openssl
> extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
> of the cryptographic random number facility provided by Windows.
>
> Any extension developers using mt_rand() to generate random numbers in
contexts
> where security is required are encouraged to instead make use of the
> MWCryptRand class introduced with this release.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

Please use CVE-2012-1581 for this issue.


> A long-standing bug in the wikitext parser (bug 22555) was discovered
to have
> security implications. In the presence of the popular CharInsert
extension, it
> leads to cross-site scripting (XSS). XSS may be possible with other
extensions
> or perhaps even the MediaWiki core alone, although this is not
confirmed at
> this time. A denial-of-service attack (infinite loop) is also possible
> regardless of configuration.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

Please use CVE-2012-1582 for this issue.


> Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
> LEASE-NOTES-1.18;hb=1.18.2
> https://www.mediawiki.org/wiki/Release_notes/1.18
>
> Co-inciding with these security releases, the MediaWiki source code
> repository has
> moved from SVN (at
https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
> to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So
the relevant
> commits for these releases will not be appearing in our SVN
repository. If you use
> SVN checkouts of MediaWiki for version control, you need to migrate
these to Git.
> If you up are using tarballs, there should be no change in the process
for you.
> Please note that any WMF-deployed extensions have also been migrated
to Git
> also, along with some other non WMF-maintained ones.
>
> Please bear with us, some of the Git related links for this release
may not
> work instantly, but should later on.
>
> To do a simple Git clone, the command is:
> git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
>
> More information is available at https://www.mediawiki.org/wiki/Git
>
> For more help, please visit the #mediawiki IRC channel on freenode.net
> irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
> at mediawiki-l at lists.wikimedia.org.
>
>
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz
>
> Patch to previous version (1.18.1), without interface text:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz
> Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz.
> sig
>
> Public keys:
> https://secure.wikimedia.org/keys.html
-- 
Kurt Seifried Red Hat Security Response Team (SRT)