Could somebody who uses www/wikimedia take a look at updating it please?
Last week's security fixes include a fix for an authentication bypass bug.
----- Forwarded message from Thijs Kinkhorst <th...@debian.org> -----
From: Thijs Kinkhorst <th...@debian.org>
Date: Wed, 4 Sep 2013 12:18:36 +0200
To: oss-secur...@lists.openwall.com
Cc: Chris Steipp <cste...@wikimedia.org>
Reply-To: oss-secur...@lists.openwall.com
Importance: Normal
User-Agent: SquirrelMail/1.4.23 [SVN]
Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7
and 1.19.8
Hi,
Mediawiki has announced the following security releases. The message
contains a link to the patches for various release branches.
Can CVE names be assigned please?
thanks,
Thijs
---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
and 1.19.8
From: "Chris Steipp" <cste...@wikimedia.org>
Date: Tue, September 3, 2013 22:50
To: mediawiki-annou...@lists.wikimedia.org
"MediaWiki-l" <mediawik...@lists.wikimedia.org>
"Wikimedia developers" <wikitec...@lists.wikimedia.org>
--------------------------------------------------------------------------
I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an invalid language is specified in ResourceLoader
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
* An internal review found several API modules allowed anti-CSRF tokens to
be accessed via JSONP.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
* Andreas Peetz reported an issue with the MediaWiki API where an invalid
property name could be used for XSS with older versions of Internet
Explorer.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
Additionally, the following extensions have been updated to fix security
issues:
* CentralAuth: An internal review found an authentication regression that
allowed an attacker to bypass authentication
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
* SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
example.php script
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
* CheckUser: Alex Monk reported and fixed that CheckUser didn't require
anti-CSRF tokens for checking users
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
* Wikibase: Liangent reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
* LiquidThreads: Alex Monk reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
Full release notes for 1.21.2:
<https://www.mediawiki.org/wiki/Release_notes/1.21>
Full release notes for 1.20.7:
<https://www.mediawiki.org/wiki/Release_notes/1.20>
Full release notes for 1.19.8:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
Patch to previous version (1.21.1):
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
Patch to previous version (1.20.6):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
Patch to previous version (1.19.7):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth
**********************************************************************
Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
**********************************************************************
Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser
**********************************************************************
Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase
**********************************************************************
Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
----- End forwarded message -----
