Yesterday Mediawiki published security releases, that fix 3 security issues: * An internal review discovered that specially crafted Lua function names could lead to XSS. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46084> * Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46859> * Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47251> Reproducible: Always
Arches, please stabilize: =www-apps/mediawiki-1.19.5 =www-apps/mediawiki-1.20.4
*** Bug 466090 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable
ppc stable
Thanks for your work Possible remote code execution GLSA vote: yes
This issue was resolved and addressed in GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml by GLSA coordinator Sergey Popov (pinkbyte).