The MediaWiki 1.22.3, 1.21.6 and 1.19.12 release announcement notes: * (bug 61362) SECURITY: API: Don't find links in the middle of api.php links. An attacker could perform cross-site scripting attacks. The versions of MediaWiki in Fedora and EPEL 6 are affected. I have not tested EPEL 5. References: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html https://bugzilla.wikimedia.org/show_bug.cgi?id=61362 https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb,n,z
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1071142]
Created mediawiki119 tracking bugs for this issue: Affects: epel-6 [bug 1071143]
Created mediawiki tracking bugs for this issue: Affects: epel-5 [bug 1071157]
CVE request: http://www.openwall.com/lists/oss-security/2014/02/28/1
MITRE assigned CVE-2014-2244 to this issue: http://www.openwall.com/lists/oss-security/2014/03/01/2
mediawiki-1.21.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.21.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
For the 1.19 branch, this was not properly fixed in 1.19.12 even though it was noted as having been fixed there. It was actually fixed in 1.19.13 properly. http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000142.html This probably will get another CVE assigned by MITRE.
mediawiki119-1.19.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.