Advisories ยป MGASA-2017-0110

Updated mediawiki packages fix security vulnerability

Publication date: 16 Apr 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-0361 , CVE-2017-0362 , CVE-2017-0363 , CVE-2017-0364 , CVE-2017-0365 , CVE-2017-0366 , CVE-2017-0368 , CVE-2017-0369 , CVE-2017-0370


API parameters may now be marked as "sensitive" to keep their values out
of the logs (CVE-2017-0361).

"Mark all pages visited" on the watchlist now requires a CSRF token

Special:UserLogin and Special:Search allow redirect to interwiki links
(CVE-2017-0363, CVE-2017-0364).

XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true (CVE-2017-0365).

SVG filter evasion using default attribute values in DTD declaration

Escape content model/format url parameter in message (CVE-2017-0368).

Sysops can undelete pages, although the page is protected against it

Spam blacklist ineffective on encoded URLs inside file inclusion syntax's
link parameter (CVE-2017-0370).