Category Archives: Fedora

Fedora – Security Updates

Fedora

mediawiki-1.27.2-1.fc25

Leave a comment

* (T109140) (T122209) Special:UserLogin and Special:Search allow redirect
to interwiki links. (CVE-2017-0363, CVE-2017-0364)
* (T144845) XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true. (CVE-2017-0365)
* (T125177) API parameters may now be marked as “sensitive” to keep
their values out of the logs. (CVE-2017-0361)
* (T150044) “Mark all pages visited” on the watchlist now requires a CSRF
token. (CVE-2017-0362)
* (T156184) Escape content model/format url parameter in message.
(CVE-2017-0368)
* (T151735) SVG filter evasion using default attribute values in DTD
declaration. (CVE-2017-0366)
* (T48143) Spam blacklist ineffective on encoded URLs inside file inclusion
syntax’s link parameter. (CVE-2017-0370)
* (T108138) Sysops can undelete pages, although the page is protected
against
it. (CVE-2017-0369)

The following only affects 1.27 and above and is not included in the 1.23
upgrade:

* (T161453) LocalisationCache will no longer use the temporary directory
in its fallback chain when trying to work out where to write the cache.
(CVE-2017-0367)

The following fix is for the SyntaxHighlight extension:

* (T158689) Parameters injection in SyntaxHighlight results in multiple
vulnerabilities.
(CVE-2017-0372)

Fedora

mediawiki-1.28.1-2.fc26

Leave a comment

https://www.mediawiki.org/wiki/Release_notes/1.28#MediaWiki_1.28.1

Changes since 1.28.0

* $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
* Fix fatal from “WaitConditionLoop” not being found, experienced when a wiki has more than one database server setup.
* (T152717) Better escaping for PHP mail() command
* (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount()
* (T145635) Fix too long index error when installing with MSSQL
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as “sensitive” to keep their values out of the logs.
* (T150044) SECURITY: “Mark all pages visited” on the watchlist now requires a CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it’s fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax’s link parameter.

Fedora

mediawiki-1.28.1-1.fc26

Leave a comment

https://www.mediawiki.org/wiki/Release_notes/1.28#MediaWiki_1.28.1

Changes since 1.28.0

* $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
* Fix fatal from “WaitConditionLoop” not being found, experienced when a wiki has more than one database server setup.
* (T152717) Better escaping for PHP mail() command
* (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount()
* (T145635) Fix too long index error when installing with MSSQL
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as “sensitive” to keep their values out of the logs.
* (T150044) SECURITY: “Mark all pages visited” on the watchlist now requires a CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it’s fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax’s link parameter.