Bug 228763 (CVE-2007-0894)
Summary: | CVE-2007-0894: mediawiki full path disclosure | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <ville.skytta> |
Component: | mediawiki | Assignee: | Axel Thimm <axel.thimm> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | fedora-security-list, fedora, roozbeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.8.4-8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-26 17:14:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ville Skyttä
2007-02-14 20:50:14 UTC
Thanks for the heads-up (1.8.3 should be vulerable as well, it was probably forgotten in the list of vulnerable versions). Indeed for the package we aren't losing any more information than the attacker would already know (unless he doesn't even know he's attacking a Fedora server). For F7 upwards (and most possibly backporting to FC6/FC5) the code and data are being separated (code moves to %{_datadir}), so there won't be any direct requests possible at all. But this still needs some testing in F7/devel. There is an update of mediawiki which among other fixes this. FC-5 and FC-6 will be updated to 1.8.4. F7 will be updated to 1.9.3. I'll close this bug once the packages make it to the master repo. Thanks! |