Quoting from http://www.openwall.com/lists/oss-security/2015/06/25/2
"Wesnoth implements a text preprocessing language that is used in conjunction
with its own game scripting language. It also has a built-in Lua interpreter
and API. Both the Lua API and the preprocessor make use of the same function
(filesystem::get_wml_location()) to resolve file paths so that only content
from the user's data directory can be read.
However, the function did not explicitly disallow files with the .pbl
extension. The contents of these files could thus be stored in saved game
files or even transmitted directly to other users in a networked game. Among
the information that's compromised is a user-defined passphrase used to
authenticate uploads to the game's content server.
This issue was found by Toom Lõhmus, then verified and fixed by Ignacio R.
There have been two patches,  and . Patch  did only take lowercase extensions
into account and was incomplete. Patch  is CVE-2015-5069.
Patch  is an additional patch, fixing the lowercase problem. Patch  is CVE-2015-5070.
 https://gna.org/bugs/?23504 (currently restricted)
Incomplete fix as it only handles lowercase extensions. CVE-2015-5069
Complete fix, CVE-2015-5070
Created wesnoth tracking bugs for this issue:
Affects: fedora-all [bug 1236011]
Affects: epel-5 [bug 1236012]
Affects: epel-6 [bug 1236013]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.