Updated mediawiki packages fix security vulnerabilities
Publication date: 12 Dec 2013Modification date: 12 Dec 2013
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4567 , CVE-2013-4568 , CVE-2013-4572
Description
Updated mediawiki packages fix security vulnerabilities:
Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html
- https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123011.html
- https://bugs.mageia.org/show_bug.cgi?id=11854
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4568
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4572
SRPMS
3/core
- mediawiki-1.20.8-1.mga3