Upstream changelog mentions a whole bunch of vulnerabilities fixed in latest releases: * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. == Security fixes in extensions == * (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters. * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches. * (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts. * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1175829]
Created mediawiki119 tracking bugs for this issue: Affects: epel-all [bug 1175830]
mediawiki-1.24.1-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.23.8-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mediawiki-1.23.8-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
MITRE assigned the following CVEs to these issues (http://seclists.org/oss-sec/2015/q1/19): > * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, > which could lead to xss. Permission to edit MediaWiki namespace is required > to exploit this. CVE-2014-9475 > * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in > $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain > as part of its name. CVE-2014-9476 > > == Security fixes in extensions == > * (bug T77624) [SECURITY] Extension:Listings: missing validation in the > 'name' and 'url' parameters. CVE-2014-9477 > * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input > as wikitext and shows a preview, yet it fails to add an edit token to > the form and check it. This can be exploited as an XSS when > $wgRawHtml = true. Note this only affects the 1.19/1.22 branches. CVE-2014-9478 > * (bug T76195) [SECURITY] Extension:TemplateSandbox: > Special:TemplateSandbox needs edit token when raw HTML is allowed CVE-2014-9479 > * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts. CVE-2014-9480 > * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin > leakage of data from a wiki through timing CVE-2014-9481 > * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 > library for CVE-2014-2053. CVE-2014-9487
This update was already pushed before this ticket was filed, closing.