+++ This bug was initially created as a clone of Bug #515138 +++
+++ This bug was initially created as a clone of Bug #508976 +++
== Security ==
* (bug 65839) SECURITY: Prevent external resources in SVG files.
URLs not yet available.
please ignore description.
* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
I've taken the liberty to bump the ebuilds and drop the vulnerable versions.
* www-apps/mediawiki-1.19.18 amd64 ppc x86 (legacy stable)
* www-apps/mediawiki-1.22.10 amd64 ppc x86 (stable, upgrade path from discontinued 1.21)
(In reply to Alex Xu (Hello71) from comment #0)
> +++ This bug was initially created as a clone of Bug #515138 +++
Please don't use the cloning feature for security bugs. It has really created a mess with this series of bugs.
MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x
before 1.23.2 does not enforce an IFRAME protection mechanism for
transcluded pages, which makes it easier for remote attackers to conduct
clickjacking attacks via a crafted web site.
Cross-site scripting (XSS) vulnerability in
mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and
1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script
or HTML via vectors involving the multipageimagenavbox class in conjunction
with an action=raw value.
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before
1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2
accepts certain long callback values and does not restrict the initial bytes
of a JSONP response, which allows remote attackers to conduct cross-site
request forgery (CSRF) attacks, and obtain sensitive information, via a
crafted OBJECT element with SWF content consistent with a restricted
This issue was resolved and addressed in
GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).