New versions of MediaWiki have been announced [1] to fix the following flaw [2]: XSS vulnerability in MediaWiki before 1.22.7, due to usernames on Special:PasswordReset being parsed as wikitext. The username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an XSS crossing a privilege boundary. This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7. A CVE has been requested [4]. [1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=65501 [3] https://gerrit.wikimedia.org/r/#/c/136131/ [4] http://openwall.com/lists/oss-security/2014/06/03/7
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1104223] Affects: epel-5 [bug 1104224]
Created mediawiki119 tracking bugs for this issue: Affects: epel-all [bug 1104225]
Mediawiki 1.21.10 is in testing for both Fedora 19 and 20.
mediawiki119-1.19.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.