Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 25: FEDORA-2017-3fb95ed01f Moderate: MediaWiki XSS and CSRF Fixes

fedora
Calendar Grey April 15, 2017
Dist Fedora Esm H88
The recent MediaWiki enhancement for Fedora 25 tackles several important security concerns, notably XSS and CSRF exploitations.
* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect to interwiki links

Summary

MediaWiki is the software used for Wikipedia and the other Wikimedia

Foundation websites. Compared to other wikis, it has an excellent

range of features and support for high-traffic websites using multiple

servers

This package supports wiki farms. Read the instructions for creating wiki

instances under /usr/share/doc/mediawiki/README.RPM.

Remember to remove the config dir after completing the configuration.

* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect to

interwiki links. (CVE-2017-0363, CVE-2017-0364) * (T144845) XSS in

SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.

(CVE-2017-0365) * (T125177) API parameters may now be marked as "sensitive" to

keep their values out of the logs. (CVE-2017-0361) * (T150044) "Mark all

pages visited" on the watchlist now requires a CSRF token. (CVE-2017-0362) *

(T156184) Escape content model/format url parameter in message.

(CVE-2017-0368) * (T151735) SVG filter evasion using default attribute values in

DTD declaration. (CVE-2017-0366) * (T48143) Spam blacklist ineffective on

encoded URLs inside file inclusion syntax's link parameter. (CVE-2017-0370) *

(T108138) Sysops can undelete pages, although the page is protected against

it. (CVE-2017-0369) The following only affects 1.27 and above and is not

included in the 1.23 upgrade: * (T161453) LocalisationCache will no longer use

the temporary directory in its fallback chain when trying to work out where to

write the cache. (CVE-2017-0367) The following fix is for the SyntaxHighlight

extension: * (T158689) Parameters injection in SyntaxHighlight results in

multiple vulnerabilities. (CVE-2017-0372)

su -c 'dnf upgrade mediawiki' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Topics%20covered

Topics Covered

security advisory fedora update software patch xss mediawiki csrf

Change Log

References

Update Instructions

Severity
important
Lowest
Low
Medium
High
Critical

Product: Fedora 25
Version: 1.27.2
Release: 1.fc25
URL: https://www.mediawiki.org/wiki/MediaWiki
Summary: A wiki engine

Topics%20covered

Topics Covered

security advisory fedora update software patch xss mediawiki csrf

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here