Upstream has announced MediaWiki 1.22.6 on April 24: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html It fixes one security issue. I haven't seen a CVE request for this. Advisory: ======================== Updated mediawiki packages fix security vulnerability: XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action. References: https://bugzilla.wikimedia.org/show_bug.cgi?id=63251 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html ======================== Updated packages in core/updates_testing: ======================== mediawiki-1.22.6-1.mga3 mediawiki-mysql-1.22.6-1.mga3 mediawiki-pgsql-1.22.6-1.mga3 mediawiki-sqlite-1.22.6-1.mga3 mediawiki-1.22.6-1.mga4 mediawiki-mysql-1.22.6-1.mga4 mediawiki-pgsql-1.22.6-1.mga4 mediawiki-sqlite-1.22.6-1.mga4 from SRPMS: mediawiki-1.22.6-1.mga3.src.rpm mediawiki-1.22.6-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing on Mageia 3 i586 and x86_64, Mageia 4 i586 and x86_64 This update adds one line of code and changes the version number. Must be important. Before the update, adding this template to any regular page: {{DEFAULTSORT:<script>alert("Gotcha");</script>}} Allows anyone clicking on 'Page information' link located on the sidebar to run the javascript inside the script tags, which pops up an alert in this case. After updating to mediawiki 1.22.6, the HTML is disabled and the javascript no longer runs on either archs for Mageia 3 & 4. ------------------------------------------ Update validated. Thanks. Advisory: Listed above. SRPMS: mediawiki-1.22.6-1.mga3.src.rpm mediawiki-1.22.6-1.mga4.src.rpm Re Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory
http://advisories.mageia.org/MGASA-2014-0197.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/596695/
The issue has CVE-2014-2853, which LWN created an entry for here: http://lwn.net/Vulnerabilities/597466/ Would someone mind adding the CVE reference to the advisory in SVN? Updated mediawiki packages fix security vulnerability: XSS vulnerability in MediaWiki before 1.22.6, where if the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action (CVE-2014-2853). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2853 https://bugzilla.wikimedia.org/show_bug.cgi?id=63251 http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-April/000149.html
URL: http://lwn.net/Vulnerabilities/596695/ => http://lwn.net/Vulnerabilities/597466/
Done. Anybody with svn access can do so.