Package: mediawiki Version: 1:1.19.3-2 Severity: grave Tags: security upstream fixed-upstream Justification: security; information disclosure including password hashes Forwarded: https://bugzilla.wikimedia.org/show_bug.cgi?id=43518
The unblock API discloses full user details to anyone who has the right to use it. This includes hashed passwords, amongst other things. The problem is apparently introduced in r83855 and at this stage, I do not believe it affects stable, though I would not be confident enough to be sure yet. sid/wheezy are easily fixed with the new upstream, which I am preparing. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mediawiki depends on: ii apache2 2.2.22-12 ii apache2-mpm-prefork [httpd] 2.2.22-12 ii debconf [debconf-2.0] 1.5.49 pn libjs-jquery <none> ii libjs-jquery-cookie 6-1 ii libjs-jquery-form 6-1 ii libjs-jquery-tipsy 6-1 ii mime-support 3.52-1 ii php5 5.4.4-13 ii php5-mysql 5.4.4-13 ii php5-pgsql 5.4.4-13 Versions of packages mediawiki recommends: ii mediawiki-extensions-base 2.11 ii mysql-server 5.5.28+dfsg-1 ii php-wikidiff2 0.0.1+svn109581-1 ii php5-cli 5.4.4-13 ii python 2.7.3-4 Versions of packages mediawiki suggests: ii clamav 0.97.6+dfsg-1 ii imagemagick 8:6.7.7.10-5 pn mediawiki-math <none> pn memcached <none> ii php5-gd 5.4.4-13 -- Configuration Files: /etc/mediawiki/apache.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
