Bug 114582

Summary:	=www-apps/mediawiki-1.5*: possible remote code execution
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	trapni, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2005-12-05 16:58:56 UTC

== MediaWiki 1.5.3 ==

December 4, 2005

MediaWiki 1.5.3 is a security and bugfix maintenance release.

Validation of the user language option was broken by a code change in
May 2005, opening the possibility of remote code execution as this
parameter is used in forming a class name dynamically created with
eval().

The validation has been corrected in this version. All prior 1.5 release
and prelease versions are affected; 1.4 and earlier and not affected.

Additionally several bugs have been fixed; see the changelog later in
this file for a complete list.

http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=375755

Comment 1 Christian Parpart (RETIRED) gentoo-dev

2005-12-05 22:45:53 UTC

version bumped to 1.5.3 (that includes a fix).  
old/sick versions cleaned up in one go. 
 
security shall close this bug when they feel comfortable now :o) 
 
greetings.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-05 23:25:55 UTC

Mmm I feel comfortable now. 

*** This bug has been marked as a duplicate of 114581 ***