Updated mediawiki packages fix security vulnerbilities
Publication date: 07 Oct 2014Modification date: 07 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-7199 , CVE-2014-7295
Description
Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages (CVE-2014-7295).
References
- https://bugs.mageia.org/show_bug.cgi?id=14182
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000161.html
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html
- https://www.debian.org/security/2014/dsa-3036
- https://www.debian.org/security/2014/dsa-3046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295
SRPMS
3/core
- mediawiki-1.23.5-1.mga3
4/core
- mediawiki-1.23.5-1.mga4