Debian Security Advisory

DSA-3011-1 mediawiki -- security update

Date Reported:
23 Aug 2014
Affected Packages:
mediawiki
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 752622, Bug 758510.
In Mitre's CVE dictionary: CVE-2014-5241, CVE-2014-5243.
More information:

It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, which includes additional changes.

For the stable distribution (wheezy), these problems have been fixed in version 1:1.19.18+dfsg-0+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your mediawiki packages.