Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047)

medium Nessus Plugin ID 71407

Synopsis

The remote Fedora host is missing a security update.

Description

- Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>

- Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>

Additionally, the following extensions have been updated to fix security issues :

- CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54294>

- ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55991>

- CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40747>

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected mediawiki package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1030987

https://phabricator.wikimedia.org/T42747

https://phabricator.wikimedia.org/T55032

https://phabricator.wikimedia.org/T56294

https://phabricator.wikimedia.org/T57332

https://phabricator.wikimedia.org/T57991

http://www.nessus.org/u?bb6debb6

Plugin Details

Severity: Medium

ID: 71407

File Name: fedora_2013-22047.nasl

Version: 1.9

Type: local

Agent: unix

Published: 12/14/2013

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:mediawiki, cpe:/o:fedoraproject:fedora:20

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/24/2013

Reference Information

CVE: CVE-2013-4567, CVE-2013-4568, CVE-2013-4572

BID: 63757, 63760, 63761

FEDORA: 2013-22047