MediaWiki upstream has released:
latest, v.1.15.3 version, addressing one cross-site request forgery
(CSRF) issue (from ):
"MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password."
Upstream bug report:
CVE Request (and reply):
This issue has been already addressed in current versions
of mediawiki package, as shipped with Fedora release of 11
and 12. Particular builds (mediawiki-1.15.3-53.fc11 and
mediawiki-1.15.3-53.fc12) are already present in relevant
-candidate repositories for each of the above listed releases,
and once the Fedora stabilization process completes, they
will be pushed into -stable.
Though, the EPEL-5 repository still contains mediawiki-1.14.0-45.el5,
as the latest version.
Stephen, would it be possible to rebase the EPEL-5 version
to latest upstream v.1.15.3 version too? (as the previous
upstream release v.1.15.2 also addressed two security flaws --
CVE-2010-1189 and CVE-2010-1190).
Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
I apologize. This ticket should have been closed years ago as we moved to only having the Wikimedia Longterm Support in EPEL.