The updated releases have been announced:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html

I'm not sure if they'll get a CVE:
http://openwall.com/lists/oss-security/2014/06/26/1

We'll see what happens with that.  For now, the updated packages are built and uploaded and can be tested.

Updated packages in core/updates_testing:
========================
mediawiki-1.23.1-1.mga3
mediawiki-mysql-1.23.1-1.mga3
mediawiki-pgsql-1.23.1-1.mga3
mediawiki-sqlite-1.23.1-1.mga3
mediawiki-ldapauthentication-2.1.0-1.mga3
mediawiki-math-1.2.0-1.mga3
mediawiki-1.23.1-1.mga4
mediawiki-mysql-1.23.1-1.mga4
mediawiki-pgsql-1.23.1-1.mga4
mediawiki-sqlite-1.23.1-1.mga4
mediawiki-ldapauthentication-2.1.0-1.mga4
mediawiki-math-1.2.0-1.mga4

from SRPMS:
mediawiki-1.23.1-1.mga3.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm
mediawiki-math-1.2.0-1.mga3.src.rpm
mediawiki-1.23.1-1.mga4.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm
mediawiki-math-1.2.0-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Summary: mediawiki new security issues fixed upstream in 1.23.1 => mediawiki new security issue fixed upstream in 1.23.1
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Created attachment 5218 [details]
mediawiki-math

Tested on Mageia 3 & 4 for both i586 & x86_64 archs with instances for mysql, postgresql and sqlite.

The mediawiki-ldapauthentication extension doesn't support sqlite, so tested that without ldap authentication. Mysql and postgresql are both supported by it, so tested them using ldap.

The mediawiki-math extension work using mathjax and without it, but one of the new tools, texvccheck, was not compiled while building the package. It's a security tool that filters out any spam or other badness that may have been injected into the markup beforehand.

The extention works without it, but there are complaints in the logs. I patched (this attachment) the spec, rebuilt and upgraded the package. No more compaints in the logs.

CC: (none) => warrendiogenese

Thanks!  I fixed mediawiki-math.

Now we have:
mediawiki-math-1.2.0-1.1.mga3
mediawiki-math-1.2.0-1.1.mga4

That fixed mediawiki-math. No more errors in the logs.

Testing complete.

------------------------------------------
Update validated.
Thanks.

Advisories:
No CVE's or PoC at this time. See Comment #1

SRPMS: 
mediawiki-1.23.1-1.mga3.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga3.src.rpm
mediawiki-math-1.2.0-1.mga3.src.rpm
mediawiki-1.23.1-1.mga4.src.rpm
mediawiki-ldapauthentication-2.1.0-1.mga4.src.rpm
mediawiki-math-1.2.0-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK

MITRE has contributed their two cents, so it really sounds like no CVE:
http://openwall.com/lists/oss-security/2014/06/27/18

I hadn't actually made an advisory for this one yet.

Advisory:
--------

This update provides MediaWiki 1.23.1, which provides several new features
and fixes a couple of minor bugs from 1.22.7.  The MediaWiki 1.23 branch is
a Long Term Support branch, so this update will provide a basis for more
stability for this package in the future.

The mediawiki-ldapauthentication and mediawiki-math packages have been
updated to versions that are compatible with MediaWiki 1.23.

References:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000152.html
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html

dropped security component.

advisory added

update pushed:
http://advisories.mageia.org/MGAA-2014-0142.html

Status: NEW => RESOLVED
CC: (none) => tmb
Component: Security => RPM Packages
Hardware: i586 => All
Resolution: (none) => FIXED
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK advisory