-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello everyone.
This is a security announcement for the CentralAuth extension. There were 2 issues discovered in the extension, and all users are strongly encouraged to upgrade. Issue 1: XSS in Special:GlobalGroupPermissions Due to a lack of escaping in the Special:GlobalGroupPermissions page, an attacker would be able to inject arbitrary javascript into the page, potentially leading to the take over of other user's accounts. The fix for this issue was accidentally included in another patch - fadb367ad (February 1, 2017). If you are using the master branch of the extension, you need to ensure that your copy is newer than February 1. All versions of the REL1_29 branch have this fix. For REL1_28 please ensure that you have the commit 1e9d612 (July 19, 2017) For REL1_27 please ensure that you have the commit aa3401503 (July 19, 2017) This issue was discovered by Grunny. For more information, please see: https://phabricator.wikimedia.org/T134863 Issue 2: Open redirect in AutoLogin An attacker can cause a user who is globally logged in, but not logged in on a specific wiki, to be redirected to an arbitrary interwiki link, even for interwiki prefixes without the iw_local bit set. To get the fix for this issue, please ensure that your copy of CentralAuth is from at least July 19, 2017 Associated git commits: * Master: 6a84c0cb4e31 * REL1_29: 2a220af1e4ac * REL1_28: 4acfa2865a05 (Now requires at least 1.28.1) * REL1_27: 4db90e20808f (Now requires at least 1.27.2) Associated bug: https://phabricator.wikimedia.org/T134931 Sincerely, Brian Wolff Wikimedia Security Team -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJZbudjAAoJEDYflDsVwI3Ux1AQAJXV2pcQicZzApo+WUbqD5aS 5GSEmNlLsS5E16r/tYU2Fhih2qxPJ/iNYCjQI0xZPDWPmi3r8aErEwMs4XS9bfjW EG/uUsS0DPu9U7BJ+x2h3vOmUFyhyIWHhHMV+6OIAXWyb5Pzm0+oiE8Cw7wx7NId ZsgTom0T0abXd597mzUomQbGLUPl4gWBbZYqclP9VS8S1xX6ci+UAo0D2hTe9bPN r0K2C7cmYY0Ltpr2dy9lP3TeEOhsYK3/KQVLZkpTI6h2WZKZSnQKPJzF/qPJEdP8 Zni5zE7heMo+mgXBb6Vcl/+5CDgdxndbdAz9qrgRM51AbF/IfjQAahrs3uc+C7Le 2/zTNkUVxgCyWRrsDVjU8HJHeB/d26fZDNr8cGkXP6BZuTs3bKGG5gCZIVIRmoO8 cMJx0y0vCudDelIFXyE0NssKbKjyUeRZ9djw/kpIQ29CpR211lZuy5tPWB5Tr7/s 9CiwJUPyOjLV6N1icGC3pZfzwxPseJXSY+/J/PwPfwqn/z3IdTiKW9+NfFvp1Tvb JIPt3ZUN/WbySdGlkTw0fNUo+ILSceDw7cdmRcm08UIV8Ce/xmLhHKF9uinXbAOU Me0yjKLzHDIZBCCYdZJNPUzRZY+n63Sq0+22Ub4Tv348Pk8kIqtyY+gZuM6l7oMu SW9yOQQSc5TxNLrPsCUP =b2xq -----END PGP SIGNATURE----- _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
