From $URL: Wikipedia user PleaseStand pointed out that MediaWiki has no protection against "clickjacking". With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki. Our fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options. For information about supported browsers, see: <https://developer.mozilla.org/en/the_x-frame-options_response_header> For more information about this vulnerability and the related patch, see: <https://bugzilla.wikimedia.org/show_bug.cgi?id=26561> Fixed version 1.16.1 is already in the tree (thanks, Tim/radhermit!) @web-apps, are we ok to call for stabilization of =www-apps/mediawiki-1.16.1?
(In reply to comment #0) > Fixed version 1.16.1 is already in the tree (thanks, Tim/radhermit!) No problem. :) > @web-apps, are we ok to call for stabilization of =www-apps/mediawiki-1.16.1? I'd say yes, since I was about to call for 1.16.0 stabilization until I noticed a new security release was out. I could also add the patch to something like 1.15.5-r1 if we want to keep a secure 1.15.x release in the tree a bit longer.
(In reply to comment #1) > (In reply to comment #0) > > @web-apps, are we ok to call for stabilization of =www-apps/mediawiki-1.16.1? > > I'd say yes, since I was about to call for 1.16.0 stabilization until I noticed > a new security release was out. I could also add the patch to something like > 1.15.5-r1 if we want to keep a secure 1.15.x release in the tree a bit longer. > Thank you. I think www-apps/mediawiki-1.16.1 is good. Arches, please test and mark stable: =www-apps/mediawiki-1.16.1 Target keywords : "amd64 ppc sparc x86"
Fixing typo in Summary; apologies for the spam.
amd64 ok
amd64 done. Thanks Agostino
x86 stable
ppc done
sparc stable
Thanks everyone. Closing NOGLSA.