The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes: * (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time. The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not tested EPEL 5. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html https://bugzilla.wikimedia.org/show_bug.cgi?id=61346 https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1071142]
Created mediawiki119 tracking bugs for this issue: Affects: epel-6 [bug 1071143]
Created mediawiki tracking bugs for this issue: Affects: epel-5 [bug 1071157]
CVE request: http://www.openwall.com/lists/oss-security/2014/02/28/1
MITRE assigned CVE-2014-2243 to this issue: http://www.openwall.com/lists/oss-security/2014/03/01/2
mediawiki-1.21.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki119-1.19.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.