Debian Security Advisory
DSA-2041-1 mediawiki -- Cross-Site Request Forgery
- Date Reported:
- 03 May 2010
- Affected Packages:
- mediawiki
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-1150.
- More information:
-
It was discovered that mediawiki, a website engine for collaborative work, is vulnerable to a Cross-Site Request Forgery login attack, which could be used to conduct phishing or similar attacks to users via affected mediawiki installations.
Note that the fix used breaks the login API and may require clients using it to be updated.
For the stable distribution (lenny), this problem has been fixed in version 1:1.12.0-2lenny5.
For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1:1.15.3-1.
We recommend that you upgrade your mediawiki packages.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0.orig.tar.gz
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.diff.gz
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.dsc
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawiki_1.12.0-2lenny5_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/m/mediawiki/mediawikimath_1.12.0-2lenny5_sparc.deb
MD5 checksums of the listed files are available in the original advisory.