Two flaws were corrected in the recently-released MediaWiki 1.20.5 and 1.19.6 releases: * Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as UTF-8. [1] * Internal review discovered that extensions were not given the opportunity to disable a password reset, which could lead to circumvention of two-factor authentication. [2] [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=47304 [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=46590
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 958306] Affects: epel-5 [bug 953669]
Created mediawiki119 tracking bugs for this issue Affects: epel-6 [bug 958307]
Created mediawiki116 tracking bugs for this issue Affects: epel-all [bug 953670]
*** Bug 958474 has been marked as a duplicate of this bug. ***
As per http://seclists.org/oss-sec/2013/q2/248 these issues have been assigned CVE-2013-2031 (SVG script filter bypass) and CVE-2013-2032 (circumvention of two-factor authentication).
mediawiki119-1.19.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.19.6-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.19.6-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.20.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.