It was reported [1] that MediaWiki suffers from a remote code execution vulnerability if you have enabled file upload support for DjVu (natively handled) or PDF files (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations. MediaWiki versions 1.22.2, 1.21.5, and 1.19.11 were released to correct this flaw. [1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
Created mediawiki tracking bugs for this issue: Affects: epel-5 [bug 1058983] Affects: fedora-all [bug 1058984]
Created mediawiki119 tracking bugs for this issue: Affects: epel-6 [bug 1058982]
mediawiki-1.21.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki119-1.19.11-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Fedora 19 and 20 and EPEL 5 and 6 updates have been released. As such, this bug is now CLOSED ERRATA.