From ${URL} : Two flaws were corrected in the recently-released MediaWiki 1.20.5 and 1.19.6 releases: * Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as UTF-8. [1] * Internal review discovered that extensions were not given the opportunity to disable a password reset, which could lead to circumvention of two-factor authentication. [2] [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=47304 [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=46590 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Arches, please stabilize: =www-apps/mediawiki-1.19.6 =www-apps/mediawiki-1.20.5
amd64 stable
x86 stable
ppc stable
If this requires a GLSA, it could be combined with bug 471140.
GLSA vote: no
This issue was resolved and addressed in GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-2032 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2032): MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks. CVE-2013-2031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2031): MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox.