From ${URL} : Description A weakness and multiple vulnerabilities have been reported in MediaWiki, which can be exploited by malicious people to disclose certain sensitive information and conduct cross-site scripting attacks. 1) The application discloses the full installation path in an error message when an invalid language is specified in ResourceLoader. 2) An error within the "tokens", "unblock", "login", "createaccount", and "block" API calls can be exploited to disclose the CSRF token value. 3) Input passed via the "siprop" GET/POST parameter to wiki/api.php (when "action" is set to "query", "meta" is set to "siteinfo", and "format" is set to "json") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The weakness and vulnerabilities are reported in versions prior to 1.21.2, 1.20.7, and 1.19.8. Solution: Update to version 1.21.2, 1.20.7, or 1.19.8. Provided and/or discovered by: 2) Reported by the vendor. The vendor credits: 1) Mozilla. 3) Andreas Peetz. Original Advisory: MediaWiki: http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Ebuilds have already been bumped. Arches, please stabilize: =www-apps/mediawiki-1.19.8 =www-apps/mediawiki-1.20.7 =www-apps/mediawiki-1.21.2
x86 stable
ppc stable
amd64 stable
GLSA vote: no.
CVE-2013-4308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4308): Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject arbitrary web script or HTML via a thread subject. CVE-2013-4307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4307): Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script or HTML via a label in the "In other languages" section or (2) remote administrators to inject arbitrary web script or HTML via a description.
This issue was resolved and addressed in GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml by GLSA coordinator Sergey Popov (pinkbyte).
CVE-2013-4302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4302): (1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow remote attackers to obtain CSRF tokens and bypass the cross-site request forgery (CSRF) protection mechanism via a JSONP request to wiki/api.php. CVE-2013-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4301): includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter to w/load.php, which reveals the installation path in an error message.