MediaWiki upstream has released: [1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html latest, v.1.15.3 version, addressing one cross-site request forgery (CSRF) issue (from [1]): "MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password." Upstream bug report: [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 CVE Request (and reply): [3] http://www.openwall.com/lists/oss-security/2010/04/07/1 [4] http://www.openwall.com/lists/oss-security/2010/04/08/4
This issue has been already addressed in current versions of mediawiki package, as shipped with Fedora release of 11 and 12. Particular builds (mediawiki-1.15.3-53.fc11 and mediawiki-1.15.3-53.fc12) are already present in relevant -candidate repositories for each of the above listed releases, and once the Fedora stabilization process completes, they will be pushed into -stable. Though, the EPEL-5 repository still contains mediawiki-1.14.0-45.el5, as the latest version. Stephen, would it be possible to rebase the EPEL-5 version to latest upstream v.1.15.3 version too? (as the previous upstream release v.1.15.2 also addressed two security flaws -- CVE-2010-1189 and CVE-2010-1190). Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
I apologize. This ticket should have been closed years ago as we moved to only having the Wikimedia Longterm Support in EPEL.