An information disclosure flaw was found in the way MediaWiki, the wiki engine, processed 'curid' and 'oldid' request paramaters. A remote attacker could use this flaw to enumerate page titles on private MediaWiki installations. Upstream bug report: [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 An information disclosure flaw was found in the way MediaWiki, the wiki engine, performed action=ajax requests dispatching to relevant internal functions. These requests were dispatched without any read permissions checks being done. A remote attacker could use this flaw to obtain data on private MediaWiki installations. Upstream bug report: [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=32616 References: [3] http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html [4] http://www.openwall.com/lists/oss-security/2011/11/29/6 [5] https://bugs.gentoo.org/show_bug.cgi?id=392383 Upstream patch (covering both of the issues): [6] http://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
These issues affect the version of the mediawiki package, as shipped with Fedora EPEL 5. Please schedule an update. -- These issues affect the versions of the mediawiki package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update.
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 758174] Affects: epel-5 [bug 758175]
The first issue (upstream bug 32276) was assigned the name CVE-2011-4360. The second issue (upstream bug 32616) was assigned the name CVE-2011-4361. http://www.openwall.com/lists/oss-security/2011/11/29/12