From oss-security: > I would like to announce the release of MediaWiki 1.16.5. Two security > > issues were discovered. > > > > The first issue is yet another recurrence of the Internet Explorer 6 > > XSS vulnerability that caused the release of 1.16.4. It was pointed > > out that there are dangerous extensions with more than four > > characters, so the regular expressions we introduced had to be updated > > to match longer extensions. > > > > For more details, see > > https://bugzilla.wikimedia.org/show_bug.cgi?id=28534 Use CVE-2011-1765 > > > > The second issue allows unauthenticated users to gain additional > > rights, on wikis where $wgBlockDisablesLogin is enabled. By default, > > it is disabled. The issue occurs when a malicious user sends cookies > > which contain the user name and user ID of a "victim" account. In > > certain circumstances, the rights of the victim are loaded and persist > > throughout the malicious request, allowing the malicious user to > > perform actions with the victim's rights. > > > > $wgBlockDisablesLogin is a feature which is sometimes used on private > > wikis to prevent users who have an account from logging in and viewing > > content on the wiki. > > > > For more details, see > > https://bugzilla.wikimedia.org/show_bug.cgi?id=28639 > > Use CVE-2011-1766
Blocks: (none) => 908Target Milestone: --- => Mageia 1
CC: (none) => cjw
updated to 1.16.5
Status: NEW => RESOLVEDResolution: (none) => FIXED