Three flaws were fixed in the recently-released MediaWiki 1.21.2, 1.20.7, and 1.19.8 releases: * Mozilla, and other developers, reported a full path disclosure in MediaWiki, when an invalid language is specified in ResourceLoader [1] * An internal review found several API modules allowed anti-CSRF tokens to be accessed via JSONP [2] * Andreas Peetz reported an issue with the MediaWiki API where an invalid property name could be used for XSS with older versions of Internet Explorer [3] [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=46332 [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1004542]
Created mediawiki119 tracking bugs for this issue: Affects: fedora-18 [bug 1004541] Affects: epel-6 [bug 1004543]
CVE request: http://www.openwall.com/lists/oss-security/2013/09/04/5
(In reply to Vincent Danen from comment #3) > CVE request: > > http://www.openwall.com/lists/oss-security/2013/09/04/5 Assignment: http://www.openwall.com/lists/oss-security/2013/09/05/5
Cannot see this affecting EPEL5, to where I have commit rights. So removing myself.
(please readd me if you want the EPEL5 package updated)
mediawiki119-1.19.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.19.8-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.