Debian Security Advisory

DSA-2041-1 mediawiki -- Cross-Site Request Forgery

Date Reported:
03 May 2010
Affected Packages:
mediawiki
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2010-1150.
More information:

It was discovered that mediawiki, a website engine for collaborative work, is vulnerable to a Cross-Site Request Forgery login attack, which could be used to conduct phishing or similar attacks to users via affected mediawiki installations.

Note that the fix used breaks the login API and may require clients using it to be updated.

For the stable distribution (lenny), this problem has been fixed in version 1:1.12.0-2lenny5.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:1.15.3-1.

We recommend that you upgrade your mediawiki packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0.orig.tar.gz
http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.diff.gz
http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5_all.deb
Alpha:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_sparc.deb

MD5 checksums of the listed files are available in the original advisory.