Description: * An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2. [CVE-2008-5249] * A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. [CVE-2008-5250] * A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled. [CVE-2008-5250] * A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0. [CVE-2008-5252] Also from Secunia: http://secunia.com/Advisories/33133/
Ops, changing from ~4 to B4 cause 1.11.2 is also vulnerable.
Version bump please. Version 1.12.2 had a packaging problem (see http://marc.info/?l=mediawiki-l&m=122956897708135&w=2) - it's 1.12.3 now.
Name: CVE-2008-5687 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5687 Published: 2008-12-19 Severity: Medium Description: MediaWiki 1.11 through 1.13.3 does not properly protect against the download of backups of deleted images, which might allow remote attackers to obtain sensitive information via requests for files in images/deleted/.
1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue: * QA Notice: file does not exist: * doins: skins/htmldump/* does not exist which I fixed for 1.13 and actually I don't want to spent more time to incorporate fix into 1.12. So, please, stabilize 1.13.3.
(In reply to comment #4) > 1.12.3 and 1.13.3 are in the tree and 1.11.x has no fixed release as I see. So > we need to stabilize something. I'd suggested to stabilize 1.12.3 has QA issue: > > * QA Notice: file does not exist: > * doins: skins/htmldump/* does not exist > > which I fixed for 1.13 and actually I don't want to spent more time to > incorporate fix into 1.12. So, please, stabilize 1.13.3. > MediaWiki don't support 1.11.x anymore. I agree with 1.13.3 stabilization and after that, may we remove 1.11.2?
Arches, please test and mark stable: =www-apps/mediawiki-1.13.3 Target keywords : "amd64 ppc sparc x86"
sparc stable
ppc stable
x86 stable
amd64 stable
Ready for vote, I vote NO.
No, too. Closing.