From ${URL} : New versions of MediaWiki have been announced [1] to fix the following flaw [2]: XSS vulnerability in MediaWiki before 1.22.7, due to usernames on Special:PasswordReset being parsed as wikitext. The username on Special:PasswordReset can be supplied by anyone and will be parsed with wgRawHtml enabled. Since Special:PasswordReset is whitelisted by default on private wikis, this could potentially lead to an XSS crossing a privilege boundary. This is corrected [3] in upstream versions 1.19.16, 1.21.10, and 1.22.7. A CVE has been requested [4]. [1] http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-May/000151.html [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=65501 [3] https://gerrit.wikimedia.org/r/#/c/136131/ [4] http://openwall.com/lists/oss-security/2014/06/03/7 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches please stabilize: =www-apps/mediawiki-1.19.16 =www-apps/mediawiki-1.21.10
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-3966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3966): Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.
no GLSA for Cross Site Scripting Maintainer(s), please drop the vulnerable version.
Maintainer(s), please drop the vulnerable version - we would love to close this bug.
Maintainer timeout, cleanup done, closing noglsa.
