MediaWiki 1.16.2 was released today with the following fixes: An arbitrary script inclusion vulnerability was discovered. The vulnerability only allows execution of files with names ending in ".php" which are already present in the local filesystem. Only servers running Microsoft Windows and possibly Novell Netware are affected. Despite these mitigating factors, all users are advised to upgrade, since there is a risk of complete server compromise. MediaWiki 1.8.0 and later is affected. For more details, see bug 27094: https://bugzilla.wikimedia.org/show_bug.cgi?id=27094 Security researcher mghack discovered a CSS injection vulnerability. For Internet Explorer and similar browsers, this is equivalent to an XSS vulnerability, that is to say, it allows the compromise of wiki user accounts. For other browsers, it allows private data such as IP addresses and browsing patterns to be sent to a malicious external web server. It affects all versions of MediaWiki. All users are advised to upgrade. For more information, see bug 27093: https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 This vulnerability was originally reported to the Mozilla Security Group and has been assigned CVE-2011-0047. http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES Only 1.16.2 has been released, however the CSS injection would affect previous versions as shipped in EPEL (mediawiki114 and mediawiki115).
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 674456]
Created mediawiki116 tracking bugs for this issue Affects: epel-all [bug 674457]
Created mediawiki114 tracking bugs for this issue Affects: epel-4 [bug 674459] Affects: epel-5 [bug 674460]
Created mediawiki115 tracking bugs for this issue Affects: epel-all [bug 674458]
The first issue (arbitrary script inclusion vulnerability) has been assigned CVE-2011-0537.