I am almost entirely sure that www-apps/mediawiki:1.20* is also affected, due to the wording of the announce mail and its non-existence on the official download list. https://www.mediawiki.org/wiki/Download
> I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and
> Your MediaWiki installation is affected by a remote code execution
> vulnerability if you have enabled file upload support for DjVu (natively
> supported by MediaWiki) or PDF files (in combination with the PdfHandler
> extension). Neither file type is enabled by default in MediaWiki
> installations. If you are affected, we strongly urge you to update
> Affected supported versions: All
> == Security fixes ==
> * Netanel Rubin from Check Point discovered a remote code execution
> vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
> review also discovered similar logic in the PdfHandler extension, which
> could be exploited in a similar way. (CVE-2014-1610)
Bumped. 1.20.x was EOL'd, and was pruned from the tree due to a previous security issue.
Arches, please test and stable:
amd64 ppc x86
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before
1.19.11, when DjVu or PDF file upload support is enabled, allows remote
authenticated users to execute arbitrary commands via shell metacharacters
in (1) the page parameter to includes/media/DjVu.php; unspecified vectors in
(2) includes/media/PdfHandler_body.php; and possibly unspecified vectors in
(3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
glsa request filed.
Arches and Mainter(s), Thank you for your work.
This issue was resolved and addressed in
GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).