A clickjacking vulnerability was reported in MediaWiki [1]. This could allow a malicious web site to compromise the account of the user visiting a MediaWiki-based web site (an attack similar to cross-site scripting). For full protection, a user needs to be using a browser that supports the X-Frame-Options feature [2]. MediaWiki 1.16.1 [3] has been released to correct this flaw. For MediaWiki 1.15.x and earlier, a patch [4] is available which denies all framing. [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 [2] https://developer.mozilla.org/en/the_x-frame-options_response_header [3] http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NOTES [4] http://www.mediawiki.org/wiki/Special:Code/MediaWiki/79566 This issue affects MediaWiki as provided in all supported versions of Fedora and EPEL5.
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 667201]
Created mediawiki tracking bugs for this issue Affects: epel-5 [bug 667202]