[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
This bug was fixed in the package mediawiki - 1:1.11.2-2ubuntu0.5 --- mediawiki (1:1.11.2-2ubuntu0.5) hardy-security; urgency=low * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to login as the attacker, via a script on an external website. IMPORTANT: Fix includes a breaking change to the API login action. Any clients using it will need to be updated. (LP: #557159) - debian/patches/CSRF-no-CVE_rev-64680.patch - patch based on upstream SVN rev. 64680 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/90.html - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 - CVE-2010-1150 -- Andreas WenningWed, 07 Apr 2010 12:08:55 +0200 -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
This bug was fixed in the package mediawiki - 1:1.12.0-2ubuntu0.5 --- mediawiki (1:1.12.0-2ubuntu0.5) intrepid-security; urgency=low * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to login as the attacker, via a script on an external website. IMPORTANT: Fix includes a breaking change to the API login action. Any clients using it will need to be updated. (LP: #557159) - debian/patches/CSRF-no-CVE_rev-64680.patch - patch based on upstream SVN rev. 64680 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/90.html - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 - CVE-2010-1150 -- Andreas WenningWed, 07 Apr 2010 11:56:02 +0200 ** Changed in: mediawiki (Ubuntu Hardy) Status: Confirmed => Fix Released -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
This bug was fixed in the package mediawiki - 1:1.13.3-1ubuntu2.2 --- mediawiki (1:1.13.3-1ubuntu2.2) jaunty-security; urgency=low * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to login as the attacker, via a script on an external website. IMPORTANT: Fix includes a breaking change to the API login action. Any clients using it will need to be updated. (LP: #557159) - debian/patches/CSRF-no-CVE_rev-64680.patch - patch based on upstream SVN rev. 64680 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/90.html - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 - CVE-2010-1150 -- Andreas WenningWed, 07 Apr 2010 11:56:59 +0200 ** Changed in: mediawiki (Ubuntu Intrepid) Status: Confirmed => Fix Released -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
This bug was fixed in the package mediawiki - 1:1.15.0-1.1ubuntu0.2 --- mediawiki (1:1.15.0-1.1ubuntu0.2) karmic-security; urgency=low * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to login as the attacker, via a script on an external website. IMPORTANT: Fix includes a breaking change to the API login action. Any clients using it will need to be updated. (LP: #557159) - debian/patches/CSRF-no-CVE_rev-64680.patch - patch from upstream SVN rev. 64680 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/90.html - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 - CVE-2010-1150 -- Andreas WenningWed, 07 Apr 2010 11:52:21 +0200 ** Changed in: mediawiki (Ubuntu Karmic) Status: Confirmed => Fix Released ** Changed in: mediawiki (Ubuntu Jaunty) Status: Confirmed => Fix Released -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
ACK on the debdiffs, thanks Andreas. I've added the CVE number to the changelog as it is known now, and will publish the updates today. -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-1150 -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
** Branch linked: lp:ubuntu/mediawiki -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
This bug was fixed in the package mediawiki - 1:1.15.1-1ubuntu2 --- mediawiki (1:1.15.1-1ubuntu2) lucid; urgency=low * SECURITY UPDATE: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to login as the attacker, via a script on an external website. IMPORTANT: Fix includes a breaking change to the API login action. Any clients using it will need to be updated. (LP: #557159) - debian/patches/CSRF-no-CVE_rev-64680.patch - patch from upstream SVN rev. 64680 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/90.html - https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 -- Andreas WenningWed, 07 Apr 2010 11:46:10 +0200 ** Changed in: mediawiki (Ubuntu Lucid) Status: Fix Committed => Fix Released ** Bug watch added: MediaWiki bug tracker #23076 https://bugzilla.wikipedia.org/show_bug.cgi?id=23076 -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
** Changed in: mediawiki (Ubuntu Lucid) Status: In Progress => Fix Committed -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
** Changed in: mediawiki (Ubuntu Karmic) Status: New => Confirmed ** Changed in: mediawiki (Ubuntu Jaunty) Status: New => Confirmed ** Changed in: mediawiki (Ubuntu Intrepid) Status: New => Confirmed ** Changed in: mediawiki (Ubuntu Hardy) Status: New => Confirmed -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
Debdiff for hardy. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches. ** Attachment added: "mediawiki_1.11.2-2ubuntu0.5.debdiff" http://launchpadlibrarian.net/43337521/mediawiki_1.11.2-2ubuntu0.5.debdiff -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
Debdiff for intrepid. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches. ** Attachment added: "mediawiki_1.12.0-2ubuntu0.5.debdiff" http://launchpadlibrarian.net/43337184/mediawiki_1.12.0-2ubuntu0.5.debdiff -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
Debdiff for jaunty. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches. ** Attachment added: "mediawiki_1.13.3-1ubuntu2.2.debdiff" http://launchpadlibrarian.net/43337116/mediawiki_1.13.3-1ubuntu2.2.debdiff -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
Debdiff for karmic. Had been tested in a chroot; test primarily focused on the login capability, as that is the one the patch touches. ** Also affects: mediawiki (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Intrepid) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Lucid) Importance: Undecided Assignee: Andreas Wenning (andreas-wenning) Status: In Progress ** Also affects: mediawiki (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: mediawiki (Ubuntu Jaunty) Importance: Undecided Status: New ** Attachment added: "mediawiki_1.15.0-1.1ubuntu0.2.debdiff" http://launchpadlibrarian.net/43337042/mediawiki_1.15.0-1.1ubuntu0.2.debdiff -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 557159] Re: 1.15.3 security release: CSRF login vulnerability
** Changed in: mediawiki (Ubuntu) Status: New => In Progress ** Changed in: mediawiki (Ubuntu) Assignee: (unassigned) => Andreas Wenning (andreas-wenning) -- 1.15.3 security release: CSRF login vulnerability https://bugs.launchpad.net/bugs/557159 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs