Debian: DSA-2041-1: New mediawiki packages fix cross-site request forgery

    Date03 May 2010
    CategoryDebian
    32
    Posted ByLinuxSecurity Advisories
    It was discovered that mediawiki, a website engine for collaborative work, is vulnerable to a Cross-Site Request Forgery login attack, which could be used to conduct phishing or similar attacks to users via affected mediawiki installations.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2041-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Raphael Geissert
    May 03, 2010                          http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : mediawiki
    Vulnerability  : CSRF
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2010-1150
    
    It was discovered that mediawiki, a website engine for collaborative
    work, is vulnerable to a Cross-Site Request Forgery login attack, which
    could be used to conduct phishing or similar attacks to users via
    affected mediawiki installations.
    
    Note that the fix used breaks the login API and may require clients using it to 
    be updated.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1:1.12.0-2lenny5.
    
    For the testing distribution (squeeze) and the unstable distribution (sid),
    this problem has been fixed in version 1:1.15.3-1.
    
    
    We recommend that you upgrade your mediawiki packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
    mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0.orig.tar.gz
        Size/MD5 checksum:  7188806 117a1360f440883a51f0ebca32906ea0
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.diff.gz
        Size/MD5 checksum:    64013 4bda93a5b7657c02615abb552a52656f
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.dsc
        Size/MD5 checksum:     1549 95beff777c2aabfc1c27ee705d6e962d
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5_all.deb
        Size/MD5 checksum:  7232192 376a7e8a9d5ef623d9f742c46b6731d2
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_alpha.deb
        Size/MD5 checksum:    50010 ef0bba8b3e99182ca3aa0332c65ecb79
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_amd64.deb
        Size/MD5 checksum:   157208 be32615f5aa6e9eb8c7cb9856190667e
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_arm.deb
        Size/MD5 checksum:    49488 daa203ec0ec783fa56621b5175bdf339
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_armel.deb
        Size/MD5 checksum:    49466 0fadcd27411dfbe53bb5acf871f8e9a5
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_hppa.deb
        Size/MD5 checksum:    50024 1d7fd2466472722e1c94b543e302c481
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_i386.deb
        Size/MD5 checksum:   139020 97e49217a15ba203534ed4e55684ec21
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_ia64.deb
        Size/MD5 checksum:    50014 6d58ac1368a33980217cf93e6252bd8d
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_mips.deb
        Size/MD5 checksum:    50020 2402eedead8550ae99d9a979a861afb9
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_mipsel.deb
        Size/MD5 checksum:    50020 079fe641ba7565df49c0cd2b639d8cc7
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_powerpc.deb
        Size/MD5 checksum:   163034 93917f4c7b2b7c81e4542c83de7950d9
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_s390.deb
        Size/MD5 checksum:    50004 a54b1abd2c73872c378b73c751ac6134
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki-
    math_1.12.0-2lenny5_sparc.deb
        Size/MD5 checksum:   158352 39f3faa87dcc103f6f948e351801ee88
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security 
    dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.