Bug 571926 (CVE-2010-1189, CVE-2010-1190) - CVE-2010-1189 CVE-2010-1190 MediaWiki: Two security fixes in v1.15.2
Summary: CVE-2010-1189 CVE-2010-1190 MediaWiki: Two security fixes in v1.15.2
Alias: CVE-2010-1189, CVE-2010-1190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://lists.wikimedia.org/pipermail/...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-03-09 20:37 UTC by Jan Lieskovsky
Modified: 2021-10-19 09:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-19 09:11:18 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-03-09 20:37:57 UTC
MediaWiki upstream has released new v1.15.2 version:

 of MediaWiki fixing two security issues (from upstream announcement):

a, "A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected."

CVE identifier of CVE-2010-1189 has been assigned to this.


b, "A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']."

CVE identifier of CVE-2010-1190 has been assigned to this.

Upstream patch:


CVE Request:

Comment 1 Jan Lieskovsky 2010-03-09 20:50:14 UTC
These issues affect the versions of the mediawiki package, as shipped
with Fedora releases of 11 and 12, and as shipped within EPEL5 repo-

Please fix.

Comment 2 Fedora Update System 2010-04-02 21:57:53 UTC
mediawiki-1.15.2-51.fc11 has been submitted as an update for Fedora 11.

Comment 3 Fedora Update System 2010-04-02 21:58:04 UTC
mediawiki-1.15.2-51.fc12 has been submitted as an update for Fedora 12.

Comment 4 Fedora Update System 2010-07-06 17:22:53 UTC
mediawiki-1.15.3-53.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.