MediaWiki upstream has released new v1.15.2 version: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html of MediaWiki fixing two security issues (from upstream announcement): a, "A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected." CVE identifier of CVE-2010-1189 has been assigned to this. -- b, "A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected. Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl']." CVE identifier of CVE-2010-1190 has been assigned to this. Upstream patch: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz References: http://secunia.com/advisories/38856/ CVE Request: http://www.openwall.com/lists/oss-security/2010/03/09/4
These issues affect the versions of the mediawiki package, as shipped with Fedora releases of 11 and 12, and as shipped within EPEL5 repo- sitory. Please fix.
mediawiki-1.15.2-51.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mediawiki-1.15.2-51.fc11
mediawiki-1.15.2-51.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mediawiki-1.15.2-51.fc12
mediawiki-1.15.3-53.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.