Please go ahead and feel free to take the maintainership of it. Thanks ! wen
2013/9/13 Stuart Henderson <st...@openbsd.org>: > Could somebody who uses www/wikimedia take a look at updating it please? > Last week's security fixes include a fix for an authentication bypass bug. > > > ----- Forwarded message from Thijs Kinkhorst <th...@debian.org> ----- > > From: Thijs Kinkhorst <th...@debian.org> > Date: Wed, 4 Sep 2013 12:18:36 +0200 > To: oss-secur...@lists.openwall.com > Cc: Chris Steipp <cste...@wikimedia.org> > Reply-To: oss-secur...@lists.openwall.com > Importance: Normal > User-Agent: SquirrelMail/1.4.23 [SVN] > Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, > 1.20.7 and 1.19.8 > > Hi, > > Mediawiki has announced the following security releases. The message > contains a link to the patches for various release branches. > > Can CVE names be assigned please? > > > thanks, > Thijs > > ---------------------------- Original Message ---------------------------- > Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 > and 1.19.8 > From: "Chris Steipp" <cste...@wikimedia.org> > Date: Tue, September 3, 2013 22:50 > To: mediawiki-annou...@lists.wikimedia.org > "MediaWiki-l" <mediawik...@lists.wikimedia.org> > "Wikimedia developers" <wikitec...@lists.wikimedia.org> > -------------------------------------------------------------------------- > > I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and > 1.19.8. These releases fix 3 security related bugs that could affect users > of MediaWiki. Download links are given at the end of this email. > > * Mozilla, and other developers, reported a full path disclosure in > MediaWiki, when an invalid language is specified in ResourceLoader > <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332> > > * An internal review found several API modules allowed anti-CSRF tokens to > be accessed via JSONP. > <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090> > > * Andreas Peetz reported an issue with the MediaWiki API where an invalid > property name could be used for XSS with older versions of Internet > Explorer. > <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746> > > > Additionally, the following extensions have been updated to fix security > issues: > > * CentralAuth: An internal review found an authentication regression that > allowed an attacker to bypass authentication > <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338> > > * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included > example.php script > <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070> > > * CheckUser: Alex Monk reported and fixed that CheckUser didn't require > anti-CSRF tokens for checking users > <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019> > > * Wikibase: Liangent reported and fixed an XSS > <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472> > > * LiquidThreads: Alex Monk reported and fixed an XSS > <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320> > > > > Full release notes for 1.21.2: > <https://www.mediawiki.org/wiki/Release_notes/1.21> > > Full release notes for 1.20.7: > <https://www.mediawiki.org/wiki/Release_notes/1.20> > > Full release notes for 1.19.8: > <https://www.mediawiki.org/wiki/Release_notes/1.19> > > For information about how to upgrade, see > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > > ********************************************************************** > 1.21.2 > ********************************************************************** > Download: > http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz > > Patch to previous version (1.21.1): > http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > 1.20.7 > ********************************************************************** > Download: > http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz > > Patch to previous version (1.20.6): > http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > 1.19.8 > ********************************************************************** > Download: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz > > Patch to previous version (1.19.7): > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Extension:CentralAuth > ********************************************************************** > Information and Download: > https://www.mediawiki.org/wiki/Extension:CentralAuth > > ********************************************************************** > Extension:SyntaxHighlight_GeSHi > ********************************************************************** > Information and Download: > https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi > > ********************************************************************** > Extension:CheckUser > ********************************************************************** > Information and Download: > https://www.mediawiki.org/wiki/Extension:CheckUser > > ********************************************************************** > Extension:Wikibase > ********************************************************************** > Information and Download: > https://www.mediawiki.org/wiki/Extension:Wikibase > > ********************************************************************** > Extension:LiquidThreads > ********************************************************************** > Information and Download: > https://www.mediawiki.org/wiki/Extension:LiquidThreads > _______________________________________________ > MediaWiki announcements mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce > > > ----- End forwarded message -----
