Working fine on my production wiki at work, Mageia 4 i586.

Installed and set up mediawiki 1.22.5 using mysql, postgresql and sqlite on Mageia 4 x86_64 without problems.

Installed mediawiki-ldapauthentication extention and set up each to use ldap authentication. Very handy. A user created in any of the wikis can access all of them with the current setup.

Adding sqlite support to mediawiki-ldapauthentication required a simple patch. The mysql update schema can be used to create the sqlite table without error. 

Testing complete Mageia 4 x86_64 for mediawiki-1.22.5-1.mga4.src.rpm

CC: (none) => warrendiogenese
Source RPM: mediawiki-1.22.3-1.mga4.src.rpm => mediawiki-1.22.5-1.mga4.src.rpm
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

A CVE has finally been assigned:
http://openwall.com/lists/oss-security/2014/04/01/7

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

Login CSRF issue in MediaWiki before 1.22.5 in Special:ChangePassword, whereby
a user can be logged into an attackers account without being aware of it,
allowing the attacker to track the user's activity (CVE-2014-2665).

MediaWiki has been updated to version 1.22.5, fixing this and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html
http://openwall.com/lists/oss-security/2014/04/01/7

Installed instances of mediawiki 1.22.3 onto Mageia 4 i586, Mageia 3 i586 & x86_64 using mysql, postgresql and sqlite

Following the PoC at https://bugzilla.wikimedia.org/show_bug.cgi?id=62497, Created web page the user could be tricked into visiting that then brings up the mediawiki change password form. The form's user name and password belong to the attacker, but could be made to look very similar to that of the intended victim. The user then continues under the attackers account, leaving a trail in the mediawiki history the attacker can view later.

After upgrading to 1.22.5, instead of the change password form, an error is displayed: 

"There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again."

Set up mediawiki-ldapauthenticaion for all 12 instances using the same ldap server, then logged out/in and created articles, new accounts and uploaded files without problems.

Note: mediawiki-ldapauthenticaion doesn't support sqlite. I wrote a patch for that so I could test against it. 

Testing complete Mageia 3 i586, Mageia 3 x86_64, Mageia 4 i586, Mageia 4 x86_64, for the srpm mediawiki-1.22.3-1.mga4.src.rpm

------------------------------------------
Update validated.
Thanks.

Advisory:

CVE-2014-2665: See Comment 3.
SRPM: mediawiki-1.22.3-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

Thanks William.

Advisory from comment 3 uploaded. Validating.

Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO advisory MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

http://advisories.mageia.org/MGASA-2014-0157.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED