-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4036-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 15, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815 Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work: CVE-2017-8808 Cross-site-scripting with non-standard URL escaping and $wgShowExceptionDetails disabled. CVE-2017-8809 Reflected file download in API. CVE-2017-8810 On private wikis the login form didn't distinguish between login failure due to bad username and bad password. CVE-2017-8811 It was possible to mangle HTML via raw message parameter expansion. CVE-2017-8812 id attributes in headlines allowed raw '>'. CVE-2017-8814 Language converter could be tricked into replacing text inside tags. CVE-2017-8815 Unsafe attribute injection via glossary rules in language converter. For the stable distribution (stretch), these problems have been fixed in version 1:1.27.4-1~deb9u1. We recommend that you upgrade your mediawiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: [email protected]
Debian: DSA-4036-1: mediawiki security update
November 15, 2017
Summary
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Debian Security Advisory DSA-4036-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 15, 2017 https://www.debian.org/security/faq CVE-2017-8812 CVE-2017-8814 CVE-2017-8815 Multiple security vulnerabilities have been discovered in MediaWiki, a website engine for collaborative work: CVE-2017-8808 Cross-site-scripting with non-standard URL escaping and $wgShowExceptionDetails disabled. CVE-2017-8809 Reflected file download in API. CVE-2017-8810 On private wikis the login form didn't distinguish between login failure due to bad username and bad password. CVE-2017-8811 It was possible to mangle HTML via raw message parameter expansion. CVE-2017-8812 id attributes in headlines allowed raw '>'. CVE-2017-8814 Language converter could be tricked into replacing text inside tags. CVE-2017-8815 Unsafe attribute injection via glossary rules in language converter. For the stable distribution (stretch), these problems have been fixed in version 1:1.27.4-1~deb9u1. We recommend that you upgrade your mediawiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: [email protected]
Severity
Package : mediawiki
CVE ID : CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811
News
HOWTOs
Features
About Us
Powered By
