FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- multiple vulnerabilities

Affected packages
mediawiki123 < 1.23.10
mediawiki124 < 1.24.3
mediawiki125 < 1.25.2

Details

VuXML ID 6241b5df-42a1-11e5-93ad-002590263bf5
Discovery 2015-08-10
Entry 2015-08-14
Modified 2015-12-24

MediaWiki reports:

Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList.

Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf

John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss.

References

CVE Name CVE-2013-7444
CVE Name CVE-2015-6727
CVE Name CVE-2015-6728
CVE Name CVE-2015-6729
CVE Name CVE-2015-6730
CVE Name CVE-2015-6731
CVE Name CVE-2015-6733
CVE Name CVE-2015-6734
CVE Name CVE-2015-6735
CVE Name CVE-2015-6736
CVE Name CVE-2015-6737
URL http://www.openwall.com/lists/oss-security/2015/08/27/6
URL https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html
URL https://phabricator.wikimedia.org/T106893
URL https://phabricator.wikimedia.org/T94116
URL https://phabricator.wikimedia.org/T97391