Fedora 20: mediawiki Security Update

    Date18 Apr 2015
    CategoryFedora
    127
    Posted ByLinuxSecurity Advisories
    Changes since 1.23.8 * (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. * (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. * (bug T88310) SECURITY: Always expand xml entities when checking SVG's. * (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2015-5569
    2015-04-05 11:02:50
    --------------------------------------------------------------------------------
    
    Name        : mediawiki
    Product     : Fedora 20
    Version     : 1.23.9
    Release     : 1.fc20
    URL         : http://www.mediawiki.org/
    Summary     : A wiki engine
    Description :
    MediaWiki is the software used for Wikipedia and the other Wikimedia
    Foundation websites. Compared to other wikis, it has an excellent
    range of features and support for high-traffic websites using multiple
    servers
    
    This package supports wiki farms. Read the instructions for creating wiki
    instances under /usr/share/doc/mediawiki/README.RPM.
    Remember to remove the config dir after completing the configuration.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    Changes since 1.23.8
    
    * (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
    * (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
    * (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
    * (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
    * (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
    * (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
    * (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
    
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Wed Apr  1 2015 Michael Cronenworth  - 1.23.9-1
    - Update to 1.23.9
    - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
    - (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
    - (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
    - (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
    - (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
    - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
    - (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
    * Thu Dec 18 2014 Michael Cronenworth  - 1.23.8-1
    - Update to 1.23.8
    - (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
    - (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
    - (bug T74222) The original patch for T74222 was reverted as unnecessary.
    * Fri Nov 28 2014 Michael Cronenworth  - 1.23.7-1
    - Update to 1.23.7
    - Release notes: http://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7
    * Mon Nov  3 2014 Michael Cronenworth  - 1.23.6-1
    - Update to 1.23.6
    - (bug 67440) Allow classes to be registered properly from installer
    - (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header
    * Thu Oct  2 2014 Michael Cronenworth  - 1.23.5-1
    - Update to 1.23.5
    - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
      allowance.
    * Fri Sep 26 2014 Michael Cronenworth  - 1.23.4-1
    - Update to 1.23.4
    - (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter