Updated mediawiki packages fix security vulnerability
Publication date: 16 Apr 2017Modification date: 16 Apr 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-0361 , CVE-2017-0362 , CVE-2017-0363 , CVE-2017-0364 , CVE-2017-0365 , CVE-2017-0366 , CVE-2017-0368 , CVE-2017-0369 , CVE-2017-0370
Description
API parameters may now be marked as "sensitive" to keep their values out
of the logs (CVE-2017-0361).
"Mark all pages visited" on the watchlist now requires a CSRF token
(CVE-2017-0362).
Special:UserLogin and Special:Search allow redirect to interwiki links
(CVE-2017-0363, CVE-2017-0364).
XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true (CVE-2017-0365).
SVG filter evasion using default attribute values in DTD declaration
(CVE-2017-0366).
Escape content model/format url parameter in message (CVE-2017-0368).
Sysops can undelete pages, although the page is protected against it
(CVE-2017-0369).
Spam blacklist ineffective on encoded URLs inside file inclusion syntax's
link parameter (CVE-2017-0370).
References
- https://bugs.mageia.org/show_bug.cgi?id=20654
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0361
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0362
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0364
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0366
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0368
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0369
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0370
SRPMS
5/core
- mediawiki-1.23.16-1.mga5