FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mediawiki -- multiple vulnerabilities

Affected packages
mediawiki123 < 1.23.14
mediawiki124 <= 1.24.6
mediawiki125 < 1.25.6
mediawiki126 < 1.26.3

Details

VuXML ID b50f53ce-2151-11e6-8dd3-002590263bf5
Discovery 2016-05-20
Entry 2016-05-24

Mediawiki reports:

Security fixes:

T122056: Old tokens are remaining valid within a new session

T127114: Login throttle can be tricked using non-canonicalized usernames

T123653: Cross-domain policy regexp is too narrow

T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex

T129506: MediaWiki:Gadget-popups.js isn't renderable

T125283: Users occasionally logged in as different users after SessionManager deployment

T103239: Patrol allows click catching and patrolling of any page

T122807: [tracking] Check php crypto primatives

T98313: Graphs can leak tokens, leading to CSRF

T130947: Diff generation should use PoolCounter

T133507: Careless use of $wgExternalLinkTarget is insecure

T132874: API action=move is not rate limited

References

URL https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html