A cross-site request forgery flaw was found in the way MediaWiki, a wiki engine, protected CSRF tokens available via the API when X-Frame-Options headers were used. Previously it was possible for a remote attacker to obtain them and possibly perform CSRF attacks. References: [1] http://www.gossamer-threads.com/lists/wiki/mediawiki/295767 Upstream bug: [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 Relevant upstream patch: [3] https://gerrit.wikimedia.org/r/#/c/20472/
This issue affects the versions of the mediawiki package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the mediawiki package, as shipped with Fedora EPEL 5. Please schedule an update.
CVE request: http://www.openwall.com/lists/oss-security/2012/08/31/6
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 853446]
Created mediawiki tracking bugs for this issue Affects: epel-5 [bug 853447]
The CVE identifier of CVE-2012-4379 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/08/31/10