MediaWiki 1.13.5 ("bugfix release" for the 1.13.x branch) has been released on 2009-02-22. Reproducible: Always
According to the release notes the installer we currently have in stable has security issues. This does not effect live installs of course as it's deleted after setup. Of course one shouldn't be exposing the installer to the public in the first place but best for security to take a look.
CVE-2009-0737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0737): Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1.13.5 was added to the tree.
I vote NO. The installer script should be removed after install, this is explicit in the postinst output.
NO too, closing.
Um, although I agree with noglsa we missed stabilize step. Arch teams please stabilize this package.
Target keywords: =www-apps/mediawiki-1.13.5: amd64 ppc sparc x86
(In reply to comment #6) > Um, although I agree with noglsa we missed stabilize step. Arch teams please > stabilize this package. oh, sorry :~/
(In reply to comment #7) > Target keywords: > =www-apps/mediawiki-1.13.5: amd64 ppc sparc x86 > well, at least 1.14.0 needs php build with +spl. please check.
(In reply to comment #9) > well, at least 1.14.0 needs php build with +spl. please check. Thank you Tobias. Added.
amd64/x86 stable
ppc done
sparc stable
[noglsa] now.