Three flaws were corrected in the recently-released MediaWiki 1.20.4 and 1.19.5 releases: * An internal review discovered that specially crafted Lua function names could lead to XSS [1] * Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. [2] * Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. [3] CVE-2013-1951 was assigned to the first issue (the XSS), the other two do not have CVEs assigned as per a discussion on oss-sec [4]. [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=46084 [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=46859 [3] https://bugzilla.wikimedia.org/show_bug.cgi?id=47251 [4] http://seclists.org/oss-sec/2013/q2/5
Created mediawiki tracking bugs for this issue Affects: fedora-all [bug 953668] Affects: epel-5 [bug 953669]
Created mediawiki119 tracking bugs for this issue Affects: epel-6 [bug 953671]
Created mediawiki116 tracking bugs for this issue Affects: epel-all [bug 953670]
Fedora has these updates already. Rawhide http://koji.fedoraproject.org/koji/buildinfo?buildID=412368 Fedora 19 https://admin.fedoraproject.org/updates/FEDORA-2013-5874/mediawiki-1.20.4-1.fc19 Fedora 18 http://koji.fedoraproject.org/koji/buildinfo?buildID=412370 (update coming soon) Fedora 17 http://koji.fedoraproject.org/koji/buildinfo?buildID=412372 (update coming soon)
mediawiki-1.19.5-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.19.5-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki119-1.19.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.