80140 – mediawiki upstream 1.3.9 contains security fix , not in portage

Bug 80140 - mediawiki upstream 1.3.9 contains security fix , not in portage

Summary: mediawiki upstream 1.3.9 contains security fix , not in portage

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-30 15:34 UTC by Kevin Bryan
Modified:	2005-01-30 17:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Bryan 2005-01-30 15:34:33 UTC

From http://wikipedia.sourceforge.net/:
1.3.9 released 2004-12-12 New stable release
mediawiki-1.3.9.tar.gz

MediaWiki 1.3.9 is a security and bug fix release.

A flaw in upload handling has been found which may allow upload and execution of arbitrary scripts with the permissions of the web server. Only wikis that have enabled uploads and have a vulnerable Apache configuration will be affected, but to be safe all wikis should upgrade.

Wikis with uploads available should either disable uploads or upgrade to 1.3.9 immediately; if other files are customized and require merging changes, includes/SpecialUpload.php may be replaced individually to add the fix.

Reproducible: Always
Steps to Reproduce:

Comment 1 Kevin Bryan 2005-01-30 17:20:29 UTC

Sorry, it is, in fact, in portage, even as stable.