Bug 13272

Testing on Mageia 3 i586 and x86_64, Mageia 4 i586 and x86_64

This update adds one line of code and changes the version number. Must be important.

Before the update, adding this template to any regular page:

{{DEFAULTSORT:<script>alert("Gotcha");</script>}}

Allows anyone clicking on 'Page information' link located on the sidebar to run the javascript inside the script tags, which pops up an alert in this case. 

After updating to mediawiki 1.22.6, the HTML is disabled and the javascript no longer runs on either archs for Mageia 3 & 4.

------------------------------------------
Update validated.
Thanks.

Advisory:
Listed above.

SRPMS: 
mediawiki-1.22.6-1.mga3.src.rpm
mediawiki-1.22.6-1.mga4.src.rpm

Re
Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs, warrendiogenese
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory

http://advisories.mageia.org/MGASA-2014-0197.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

The issue has CVE-2014-2853, which LWN created an entry for here:
http://lwn.net/Vulnerabilities/597466/

Would someone mind adding the CVE reference to the advisory in SVN?

Updated mediawiki packages fix security vulnerability:

XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key
is set to a string containing a script, the script will be executed when the
page is viewed using the info action (CVE-2014-2853).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2853
https://bugzilla.wikimedia.org/show_bug.cgi?id=63251
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html

Done. Anybody with svn access can do so.