What Are You Looking For?

Sign Up
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-5569
2015-04-05 11:02:50
--------------------------------------------------------------------------------

Name        : mediawiki
Product     : Fedora 20
Version     : 1.23.9
Release     : 1.fc20
URL         : https://www.mediawiki.org/
Summary     : A wiki engine
Description :
MediaWiki is the software used for Wikipedia and the other Wikimedia
Foundation websites. Compared to other wikis, it has an excellent
range of features and support for high-traffic websites using multiple
servers
This package supports wiki farms. Read the instructions for creating wiki
instances under /usr/share/doc/mediawiki/README.RPM.
Remember to remove the config dir after completing the configuration.

--------------------------------------------------------------------------------
Update Information:

Changes since 1.23.8

* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  1 2015 Michael Cronenworth  - 1.23.9-1
- Update to 1.23.9
- (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
- (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
- (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
- (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
- (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
- (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
* Thu Dec 18 2014 Michael Cronenworth  - 1.23.8-1
- Update to 1.23.8
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
- (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
- (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fri Nov 28 2014 Michael Cronenworth  - 1.23.7-1
- Update to 1.23.7
- Release notes: https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7
* Mon Nov  3 2014 Michael Cronenworth  - 1.23.6-1
- Update to 1.23.6
- (bug 67440) Allow classes to be registered properly from installer
- (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header
* Thu Oct  2 2014 Michael Cronenworth  - 1.23.5-1
- Update to 1.23.5
- CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
  allowance.
* Fri Sep 26 2014 Michael Cronenworth  - 1.23.4-1
- Update to 1.23.4
- (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter

Fedora 20: mediawiki Security Update

April 18, 2015
Changes since 1.23.8 * (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks

Summary

MediaWiki is the software used for Wikipedia and the other Wikimedia

Foundation websites. Compared to other wikis, it has an excellent

range of features and support for high-traffic websites using multiple

servers

This package supports wiki farms. Read the instructions for creating wiki

instances under /usr/share/doc/mediawiki/README.RPM.

Remember to remove the config dir after completing the configuration.

Update Information:

Changes since 1.23.8

* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. * (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. * (bug T88310) SECURITY: Always expand xml entities when checking SVG's. * (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. * (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. * (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. * (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Change Log

* Wed Apr 1 2015 Michael Cronenworth - 1.23.9-1 - Update to 1.23.9 - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. - (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. - (bug T88310) SECURITY: Always expand xml entities when checking SVG's. - (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. - (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. - (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. * Thu Dec 18 2014 Michael Cronenworth - 1.23.8-1 - Update to 1.23.8 - (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. - (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. - (bug T74222) The original patch for T74222 was reverted as unnecessary. * Fri Nov 28 2014 Michael Cronenworth - 1.23.7-1 - Update to 1.23.7 - Release notes: https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7 * Mon Nov 3 2014 Michael Cronenworth - 1.23.6-1 - Update to 1.23.6 - (bug 67440) Allow classes to be registered properly from installer - (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header * Thu Oct 2 2014 Michael Cronenworth - 1.23.5-1 - Update to 1.23.5 - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. * Fri Sep 26 2014 Michael Cronenworth - 1.23.4-1 - Update to 1.23.4 - (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter

References

[ 1 ] Bug #1208072 - mediawiki: mediawiki: security issues fixed in the 1.24.2, 1.23.9, and 1.19.24 releases https://bugzilla.redhat.com/show_bug.cgi?id=1208072

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update mediawiki' at the command line. For more information, refer to "Managing Software with yum", available at https://docs.fedoraproject.org/yum/.

Severity
Name : mediawiki
Product : Fedora 20
Version : 1.23.9
Release : 1.fc20
URL : https://www.mediawiki.org/
Summary : A wiki engine

Related News

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

Security Highlights from KubeCon + CloudNativeCon 2023

Nov 18, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

Footer Logo