[SECURITY] Fedora 20 Update: mediawiki-1.23.7-1.fc20

updates at fedoraproject.org updates at fedoraproject.org
Fri Dec 12 04:34:24 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-16033
2014-12-01 18:07:54
--------------------------------------------------------------------------------

Name        : mediawiki
Product     : Fedora 20
Version     : 1.23.7
Release     : 1.fc20
URL         : http://www.mediawiki.org/
Summary     : A wiki engine
Description :
MediaWiki is the software used for Wikipedia and the other Wikimedia
Foundation websites. Compared to other wikis, it has an excellent
range of features and support for high-traffic websites using multiple
servers

This package supports wiki farms. Read the instructions for creating wiki
instances under /usr/share/doc/mediawiki/README.RPM.
Remember to remove the config dir after completing the configuration.

--------------------------------------------------------------------------------
Update Information:

http://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7

* (bug 66776, bug 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy.
* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model.
* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a config option.
* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.

--------------------------------------------------------------------------------
ChangeLog:

* Fri Nov 28 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.7-1
- Update to 1.23.7
- Release notes: http://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7
* Mon Nov  3 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.6-1
- Update to 1.23.6
- (bug 67440) Allow classes to be registered properly from installer
- (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header
* Thu Oct  2 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.5-1
- Update to 1.23.5
- CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
  allowance.
* Fri Sep 26 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.4-1
- Update to 1.23.4
- (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style
  elements and attributes before filtering; add checks for attributes that contain css; add unit tests
  for html5sec and reported bugs.
- (bug 65998) Make MySQLi work with non-standard socket.
- (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config settings.
* Thu Aug 28 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.3-1
- Update to 1.23.3
- (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
- (bug 64970) Fix support for blobs on DatabaseOracle::update.
- (bug 66574) Display MediaWiki:Loginprompt on the login page.
- (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
- (bug 60629) Handle invalid language code gracefully in 
  Language::fetchLanguageNames.
- (bug 62017) Restore the number of rows shown on Special:Watchlist.
- Check for boolean false result from database query in SqlBagOStuff.
* Sat Aug 16 2014 Michael Cronenworth <mike at cchtml.com> - 1.23.2-1
- Update to 1.23.2 (long term support branch)
- (bug 68187) SECURITY: Prepend jsonp callback with comment.
- (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading 
  a new page in Javascript,instead of relying on the URL in the link that has been clicked.
- (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
- (bug 68313) Preferences: Turn stubthreshold back into a combo box.
- (bug 65214) Fix initSiteStats.php maintenance script.
- (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
* Wed Jun 25 2014 Michael Cronenworth <mike at cchtml.com> - 1.21.11-1
- Update to 1.21.11
- (bug 65839) SECURITY: Prevent external resources in SVG files.
- (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
  like only extracting the tail of the file partially or not at all.
* Sat May 31 2014 Michael Cronenworth <mike at cchtml.com> - 1.21.10-1
- Update to 1.21.10
- (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
- (bug 36356) Add space between two feed links.
* Fri Apr 25 2014 Michael Cronenworth <mike at cchtml.com> - 1.21.9-1
- Update to 1.21.9
- (bug 63251) (CVE-2014-2853) SECURITY: Escape sortKey in pageInfo.
- (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
* Fri Mar 28 2014 Michael Cronenworth <mike at cchtml.com> - 1.21.8-1
- Update to 1.21.8
- (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
- (bug 62467) Set a title for the context during import on the cli.
* Sat Mar  1 2014 Michael Cronenworth <mike at cchtml.com> - 1.21.6-1
- Update to 1.21.6
- (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
- (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
- (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
* Tue Jan 28 2014 Patrick Uiterwijk <puiterwijk at redhat.com> - 1.21.5-1
- Update to 1.21.5
- (bug 60339) (CVE-2014-1610) SECURITY: Reported RCE in djvu thumbnailing
* Tue Jan 14 2014 Patrick Uiterwijk <puiterwijk at redhat.com> - 1.21.4-1
- Security update to 1.21.4
- (bug 57550) (CVE-2013-6452) SECURITY: Disallow stylesheets in SVG Uploads
- (bug 58088) (CVE-2013-6451) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
- (bug 58472) (CVE-2013-6454) SECURITY: Disallow -o-link in styles
- (bug 58553) (CVE-2013-6453) SECURITY: Return error on invalid XML for SVG Uploads
- (bug 58699) (CVE-2013-6472) SECURITY: Fix RevDel log entry information leaks
* Tue Nov 19 2013 Michael Cronenworth <mike at cchtml.com> - 1.21.3-1
- New upstream release.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update mediawiki' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list