ports/116519: [patch] security/vuxml update for mediawiki XSS vulnerability

Nick Barkas snb at threerings.net
Fri Sep 21 19:20:01 UTC 2007 

>Number:         116519
>Category:       ports
>Synopsis:       [patch] security/vuxml update for mediawiki XSS vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 21 19:20:00 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Barkas
>Release:        FreeBSD 6.2-RELEASE-p4 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:55:55 UTC 2007 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/SMP i386
>Description:
All MediaWiki ports install themselves with the package name mediawiki, so the
current version of VuXML entry c9c14242-6843-11dc-82b6-02e0185f8d72 indicates
every version of MediaWiki below 1.10.2 is vulnerable to this bug. This patch
changes it so portaudit only finds 1.10 releases before 1.10.2, 1.9 releases
before 1.9.4, and 1.8 releases before 1.8.5 vulnerable. 

Note that 1.8.x is not vulnerable by default, only if the user has enabled
$wgEnableAPI. I'm not sure if the potential vulnerability in 1.8.x before 1.8.5
should be noted in this advisory or not.
>How-To-Repeat:
>Fix:
--- vuxml.patch begins here ---
--- vuln.xml.orig	Fri Sep 21 06:14:29 2007
+++ vuln.xml	Fri Sep 21 12:01:59 2007
@@ -39,11 +39,9 @@
     <affects>
       <package>
 	<name>mediawiki</name>
-	<range><lt>1.10.2</lt></range>
-      </package>
-      <package>
-	<name>mediawiki19</name>
-	<range><lt>1.9.4</lt></range>
+	<range><ge>1.10.0</ge><lt>1.10.2</lt></range>
+	<range><ge>1.9.0</ge><lt>1.9.4</lt></range>
+	<range><ge>1.8.0</ge><lt>1.8.5</lt></range>
       </package>
     </affects>
     <description>
@@ -67,6 +65,7 @@
     <dates>
       <discovery>2007-09-10</discovery>
       <entry>2007-09-21</entry>
+      <modified>2007-09-21</modified>
     </dates>
   </vuln>
 
--- vuxml.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list