-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-11743 2008-12-24 11:09:45 --------------------------------------------------------------------------------
Name : mediawiki Product : Fedora 10 Version : 1.13.3 Release : 42.fc10 URL : http://www.mediawiki.org/ Summary : A wiki engine Description : MediaWiki is the software used for Wikipedia and the other Wikimedia Foundation websites. Compared to other wikis, it has an excellent range of features and support for high-traffic websites using multiple servers This package supports wiki farms. Copy /var/www/wiki over to the desired wiki location and configure it through the web interface. Remember to remove the config dir after completing the configuration. -------------------------------------------------------------------------------- Update Information: This is a security release of MediaWiki 1.13.3. Some of the security issues affect *all* versions of MediaWiki except the versions released on Dec. 15th, so all site administrators are encouraged to upgrade. CVEs assigned to the mentioned MediaWiki update: CVE-2008-5249 Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1.13.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2008-5250 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1.12.x before 1.12.2, and 1.13.x before 1.13.3, when Internet Explorer is used and uploads are enabled, or an SVG scripting browser is used and SVG uploads are enabled, allows remote authenticated users to inject arbitrary web script or HTML by editing a wiki page. CVE-2008-5252 Cross-site request forgery (CSRF) vulnerability in the Special:Import feature in MediaWiki 1.3.0 through 1.6.10, 1.12.x before 1.12.2, and 1.13.x before 1.13.3 allows remote attackers to perform unspecified actions as authenticated users via unknown vectors. As well as other two issue mentioned in the upstream announcement, treated as security enhancement rather than vulnerability fixes by upstream: CVE-2008-5687 MediaWiki 1.11 through 1.13.3 does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/. CVE-2008-5688 MediaWiki 1.8.1 through 1.13.3, when the wgShowExceptionDetails variable is enabled, sometimes provides the full installation path in a debugging message, which might allow remote attackers to obtain sensitive information via unspecified requests that trigger an uncaught exception. -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 23 2008 Axel Thimm <axel.th...@atrpms.net> - 1.13.3-42 - Update to 1.13.3, closes RH bug #476621 (CVE-2008-5249, CVE-2008-5250, CVE-2008-5252 and CVE-2008-5687, CVE-2008-5688) -------------------------------------------------------------------------------- References: [ 1 ] Bug #476621 - mediawiki: multiple XSS and CSRF issues (CVE-2008-5249, CVE-2008-5250, CVE-2008-5252, CVE-2008-5687, CVE-2008-5688) https://bugzilla.redhat.com/show_bug.cgi?id=476621 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mediawiki' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce