advisories/11157.adv

type: security
subject: Updated mediawiki package fixes security vulnerabilities
CVE:
 - CVE-2013-4301
 - CVE-2013-4302
 - CVE-2013-4303
src:
  2:
   core:
     - mediawiki-1.20.7-1.mga2
  3:
   core:
     - mediawiki-1.20.7-1.mga3
description: |
  Full path disclosure in MediaWiki before 1.20.7, when an invalid language
  is specified in ResourceLoader (CVE-2013-4301).
  
  Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens
  to be accessed via JSONP (CVE-2013-4302).
  
  An issue with the MediaWiki API in MediaWiki before 1.20.7 where an
  invalid property name could be used for XSS with older versions of
  Internet Explorer (CVE-2013-4303).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=11157
 - http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
 - https://www.mediawiki.org/wiki/Release_notes/1.20
ID: MGASA-2013-0276
1	type: security
2	subject: Updated mediawiki package fixes security vulnerabilities
3	CVE:
4	- CVE-2013-4301
5	- CVE-2013-4302
6	- CVE-2013-4303
7	src:
8	2:
9	core:
10	- mediawiki-1.20.7-1.mga2
11	3:
12	core:
13	- mediawiki-1.20.7-1.mga3
14	description: \|
15	Full path disclosure in MediaWiki before 1.20.7, when an invalid language
16	is specified in ResourceLoader (CVE-2013-4301).
17
18	Several API modules in MediaWiki before 1.20.7 allowed anti-CSRF tokens
19	to be accessed via JSONP (CVE-2013-4302).
20
21	An issue with the MediaWiki API in MediaWiki before 1.20.7 where an
22	invalid property name could be used for XSS with older versions of
23	Internet Explorer (CVE-2013-4303).
24	references:
25	- https://bugs.mageia.org/show_bug.cgi?id=11157
26	- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html
27	- https://www.mediawiki.org/wiki/Release_notes/1.20
28	ID: MGASA-2013-0276