Arch Linux Security Advisory ASA-201608-19 ========================================== Severity: Medium Date : 2016-08-26 CVE-ID : CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-2016-6336 CVE-2016-6337 Package : mediawiki Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package mediawiki before version 1.27.1-1 is vulnerable to multiple issues including cross-site scripting, information disclosure and permission bypass. Resolution ========== Upgrade to 1.27.1-1. # pacman -Syu "mediawiki>=1.27.1-1" The problems have been fixed upstream in version 1.27.1. Workaround ========== None. Description =========== - CVE-2016-6331 (permission bypass) Check read permission when loading page content in ApiParse. Prevents leaking page contents for extensions that deny read rights to certain pages via a userCan hook, but still allow the user to have read rights in general. - CVE-2016-6332 (permission bypass) Make $wgBlockDisablesLogin also restrict logged in permissions. Does both Title and user related methods, so it catches things that only call $wgUser->isAllowed( 'read' ), as well as giving a nicer error message for things that use $title->userCan(). Otherwise, the user can still do stuff and read pages if they have an ongoing session. - CVE-2016-6333 (cross-site scripting) Escape '<' and ']]>' in inline <style> blocks. This is to prevent people from closing the <style> tag, and then doing arbitrary js-y things. In particular, this is needed for when previewing user css pages. This does not escape '>' since its used as the child selector in css, and generally speaking, '>' is safe inside the contents of elements. - CVE-2016-6334 (cross-site scripting) rawurldecode was being run on unclosed internal links which could allow an attacker to insert arbitrary html into the page. - CVE-2016-6335 (information disclosure) API: Generate head items in the context of the given title. $context->getOutput() returns an OutputPage tied to the main RequestContext at the root of the chain, not to the modified context we're actually using. - CVE-2016-6336 (permission bypass) Do not allow undeleting a revision deleted file if it is the top file. This prevents admins being able to view suppressed files, by simply deleting them, and then undeleting only the file revision that they want to view. - CVE-2016-6337 (permission bypass) Move 'UserGetRights' call before application of Session::getAllowedUserRights(). This prevents hook functions from accidentally adding rights that should be denied based on the session grants. If some extension really needs to be able to override session grants, add a new hook where the old call was, with documentation explicitly warning about the security implications. Impact ====== A remote attacker is able to execute arbitrary javascript code in the victim's browser, bypass permissions or get information he/she isn't supposed to see. References ========== https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6331 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6332 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6333 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6334 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6335 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6336 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6337 https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195....