Arch Linux Security Advisory ASA-201512-15 ========================================== Severity: Medium Date : 2015-12-25 CVE-ID : CVE-2015-8622 CVE-2015-8624 CVE-2015-8625 CVE-2015-8626 CVE-2015-8627 CVE-2015-8628 Package : mediawiki Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package mediawiki before version 1.26.2-1 is vulnerable to multiple issues including XSS, timing attack, sensitive information leak, password-policy bypass and IP-blocking bypass. Resolution ========== Upgrade to 1.26.2-1. # pacman -Syu "mediawiki>=1.26.2-1" The problem has been fixed upstream in version 1.26.1. Workaround ========== None. Description =========== - CVE-2015-8622: (T117899) XSS from wikitext when $wgArticlePath='$1'. Internal review discovered an XSS vector when MediaWiki is configured with a non-standard configuration. - CVE-2015-8624: (T119309) User::matchEditToken should use constant-time string comparison. Internal review discovered that tokens were being compared as strings, which could allow a timing attack. - CVE-2015-8625: (T118032) Error thrown by VirtualRESTService when POST variable starts with '@'. Internal review discovered that MediaWiki was not sanitizing parameters passed to the curl library, which could cause curl to upload files from the webserver to an attacker. - CVE-2015-8626: (T115522) Passwords generated by User::randomPassword() may be shorter than $wgMinimalPasswordLength. MediaWiki user Frank R. Farmer reported that the password reset token could be shorter than the minimum required password length. - CVE-2015-8627: (T97897) Incorrect parsing of IPs for global block. Wikimedia steward Vituzzu reported that blocking IP addresses with zero-padded octets resulted in a failure to block the IP address. - CVE-2015-8628: (T109724) A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user. Wikimedia user Xavier Combelle reported a way to identify user, when detailed page view data is also released. Impact ====== A remote attacker might be able to access sensitive information by tricking the server into uploading file content or by a timing attack. A remote attacker might be able to bypass password policy and IP blocking measures. References ========== http://seclists.org/oss-sec/2015/q4/573 https://phabricator.wikimedia.org/T97897 https://phabricator.wikimedia.org/T109724 https://phabricator.wikimedia.org/T115522 https://phabricator.wikimedia.org/T117899 https://phabricator.wikimedia.org/T118032 https://phabricator.wikimedia.org/T119309 https://access.redhat.com/security/cve/CVE-2015-8622 https://access.redhat.com/security/cve/CVE-2015-8624 https://access.redhat.com/security/cve/CVE-2015-8625 https://access.redhat.com/security/cve/CVE-2015-8626 https://access.redhat.com/security/cve/CVE-2015-8627 https://access.redhat.com/security/cve/CVE-2015-8628