Fedora Local Security Checks : Fedora Core 13 FEDORA-2010-10779 (mediawiki)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.67688

Category: Fedora Local Security Checks

Title: Fedora Core 13 FEDORA-2010-10779 (mediawiki)

Summary: NOSUMMARY

Description: Description:
The remote host is missing an update to mediawiki
announced via advisory FEDORA-2010-10779.

Update Information:

This update fixes two vulnerabilities in mediawiki CVE-2010-1647 Cross-site
scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before
1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via
crafted Cascading Style Sheets (CSS) strings that are processed as script by
Internet Explorer. CVE-2010-1648 Cross-site request forgery (CSRF)
vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16
before 1.16 beta 3 allows remote attackers to hijack the authentication of users
for requests that (1) create accounts or (2) reset passwords, related to the
Special:Userlogin form. There is also a minor bug fixed which prevented the
use of mediawiki w/o php.

ChangeLog:

* Mon Jul 5 2010 Axel Thimm - 1.15.4-54
- Update to 1.5.14 (Fixes CVE-2010-1647 CVE-2010-1648).
- Change BR php to php-common (RH bug #549822).
* Wed Apr 7 2010 Axel Thimm - 1.15.3-53
- Update to 1.15.3 (Fixes login CSRF vulnerability).
* Wed Mar 31 2010 Axel Thimm - 1.15.2-51
- Update to 1.15.2 (Fixes CSS validation issue and data leakage
vulnerability).

References:

[ 1 ] Bug #601881 - CVE-2010-1647 CVE-2010-1648 mediawiki: multiple vulnerabilities fixed in 1.15.4/1.16b3
https://bugzilla.redhat.com/show_bug.cgi?id=601881

Solution: Apply the appropriate updates.

This update can be installed with the yum update program. Use
su -c 'yum update mediawiki' at the command line.
For more information, refer to Managing Software with yum,
available at http://docs.fedoraproject.org/yum/.

http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2010-10779

Risk factor : High

CVSS Score:
6.8

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2010-1647
FEDORA-2010-10779
http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043803.html
FEDORA-2010-10848
http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043856.html
[MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
Common Vulnerability Exposure (CVE) ID: CVE-2010-1648
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371

Copyright Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.67688
Category:	Fedora Local Security Checks
Title:	Fedora Core 13 FEDORA-2010-10779 (mediawiki)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to mediawiki announced via advisory FEDORA-2010-10779. Update Information: This update fixes two vulnerabilities in mediawiki CVE-2010-1647 Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. CVE-2010-1648 Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. There is also a minor bug fixed which prevented the use of mediawiki w/o php. ChangeLog: * Mon Jul 5 2010 Axel Thimm - 1.15.4-54 - Update to 1.5.14 (Fixes CVE-2010-1647 CVE-2010-1648). - Change BR php to php-common (RH bug #549822). * Wed Apr 7 2010 Axel Thimm - 1.15.3-53 - Update to 1.15.3 (Fixes login CSRF vulnerability). * Wed Mar 31 2010 Axel Thimm - 1.15.2-51 - Update to 1.15.2 (Fixes CSS validation issue and data leakage vulnerability). References: [ 1 ] Bug #601881 - CVE-2010-1647 CVE-2010-1648 mediawiki: multiple vulnerabilities fixed in 1.15.4/1.16b3 https://bugzilla.redhat.com/show_bug.cgi?id=601881 Solution: Apply the appropriate updates. This update can be installed with the yum update program. Use su -c 'yum update mediawiki' at the command line. For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/. http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2010-10779 Risk factor : High CVSS Score: 6.8
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2010-1647 FEDORA-2010-10779 http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043803.html FEDORA-2010-10848 http://lists.fedoraproject.org/pipermail/package-announce/2010-July/043856.html [MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3 http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 Common Vulnerability Exposure (CVE) ID: CVE-2010-1648 https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
Copyright	Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com