Debian-security, Looks like this update was botched a bit. Specifically, the results of an update break a mediawiki site because files go missing. Looks like those files were, in unstable, moved from the 'mediawiki' package into the 'mediawiki-classes' package, but that package is not in stable.
Installing 'mediawiki-classes' from unstable appears to address this
issue, but that's obviously less than ideal.
Can -security please do an update to address those missing files (ie-
put them back into the mediawiki package..)? Or add mediawiki-classes
to stable and then depend upon it?
Errors seen while working this issue:
2014-03-30 13:27:10: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning:
require(/var/lib/mediawiki/includes/libs/HttpStatus.php): failed to open
stream: No such file or directory in
/usr/share/mediawiki/includes/AutoLoader.php on line 1009
PHP Fatal error: require(): Failed opening required
'/var/lib/mediawiki/includes/libs/HttpStatus.php'
(include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear')
in /usr/share/mediawiki/includes/AutoLoader.php on line 1009
2014-03-30 13:28:40: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Warning:
require(/var/lib/mediawiki/includes/libs/IEUrlExtension.php): failed to open
stream: No such file or directory in
/usr/share/mediawiki/includes/AutoLoader.php on line 1009
PHP Fatal error: require(): Failed opening required
'/var/lib/mediawiki/includes/libs/IEUrlExtension.php'
(include_path='/var/lib/mediawiki:/var/lib/mediawiki/includes:/var/lib/mediawiki/languages:.:/usr/share/php:/usr/share/pear')
in /usr/share/mediawiki/includes/AutoLoader.php on line 1009
Thanks!
Stephen
* Thijs Kinkhorst ([email protected]) wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-2891-1 [email protected]
> http://www.debian.org/security/ Thijs Kinkhorst
> March 30, 2014 http://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : mediawiki, mediawiki-extensions
> CVE ID : CVE-2013-2031 CVE-2013-4567 CVE-2013-4568 CVE-2013-4572
> CVE-2013-6452 CVE-2013-6453 CVE-2013-6454 CVE-2013-6472
> CVE-2014-1610
> Debian Bug : 729629 706601 742857 742857
>
> Several vulnerabilities were discovered in MediaWiki, a wiki engine.
> The Common Vulnerabilities and Exposures project describers the followin
> issues:
>
> CVE-2013-2031
>
> Cross-site scripting attack via valid UTF-7 encoded sequences
> in a SVG file.
>
> CVE-2013-4567 & CVE-2013-4568
>
> Kevin Israel (Wikipedia user PleaseStand) reported two ways
> to inject Javascript due to an incomplete blacklist in the
> CSS sanitizer function.
>
> CVE-2013-4572
>
> MediaWiki and the CentralNotice extension were incorrectly setting
> cache headers when a user was autocreated, causing the user's
> session cookies to be cached, and returned to other users.
>
> CVE-2013-6452
>
> Chris from RationalWiki reported that SVG files could be
> uploaded that include external stylesheets, which could lead to
> XSS when an XSL was used to include JavaScript.
>
> CVE-2013-6453
>
> MediaWiki's SVG sanitization could be bypassed when the XML was
> considered invalid.
>
> CVE-2013-6454
>
> MediaWiki's CSS sanitization did not filter -o-link attributes,
> which could be used to execute JavaScript in Opera 12.
>
> CVE-2013-6472
>
> MediaWiki displayed some information about deleted pages in
> the log API, enhanced RecentChanges, and user watchlists.
>
> CVE-2014-1610
>
> A remote code execution vulnerability existed if file upload
> support for DjVu (natively handled) or PDF files (in
> combination with the PdfHandler extension) was enabled.
> Neither file type is enabled by default in MediaWiki.
>
> (ID assignment pending)
>
> Cross site request forgery in login form: an attacker could login
> a victim as the attacker.
>
> For the stable distribution (wheezy), these problems have been fixed in
> version 1.19.14+dfsg-0+deb7u1 of the mediawiki package and 3.5~deb7u1
> of the mediawiki-extensions package.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 1:1.19.14+dfsg-1 of the mediawiki package and 3.5 of the
> mediawiki-extensions package.
>
> We recommend that you upgrade your mediawiki packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: [email protected]
>
>
> --
> To UNSUBSCRIBE, email to [email protected]
> with a subject of "unsubscribe". Trouble? Contact [email protected]
> Archive: https://lists.debian.org/[email protected]
signature.asc
Description: Digital signature
