On Fri, September 13, 2013 12:49, Stuart Henderson wrote:
> Could somebody who uses www/wikimedia take a look at updating it please?
> Last week's security fixes include a fix for an authentication bypass bug.
Hi.
Two previous updates are bug fixing only, so diff is simple.
I've made a simple test - installed old version, configured it and made some
changes to main page. Then updated to 1.19.8. Still works.
Summary log from upstream (1.19.6->1.19.7->1.19.8):
SECURITY: Sanitize ResourceLoader exception messages
SECURITY: Token-getting functions will fail when using jsonp callbacks.
SECURITY: Fix extension detection with 2 .'s
Allow a string other than '*' as condition for DatabaseBase::delete()
Purge upstream caches when deleting file assets.
jquery.tablesorter: Add missing dependency on jquery.mwExtension
(bug 48306) SECURITY: Run file validation checks on chunked uploads, and
chunks of upload, during the upload process.
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mediawiki/Makefile,v
retrieving revision 1.43
diff -u -p -u -r1.43 Makefile
--- Makefile 12 Aug 2013 04:11:21 -0000 1.43
+++ Makefile 19 Sep 2013 12:19:03 -0000
@@ -2,10 +2,9 @@
COMMENT = web-based collaborative editing environment
-V = 1.19.6
+V = 1.19.8
DISTNAME = mediawiki-${V}
CATEGORIES = www
-REVISION = 0
HOMEPAGE = http://www.mediawiki.org/
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/mediawiki/distinfo,v
retrieving revision 1.25
diff -u -p -u -r1.25 distinfo
--- distinfo 4 May 2013 08:45:41 -0000 1.25
+++ distinfo 19 Sep 2013 12:19:03 -0000
@@ -1,2 +1,2 @@
-SHA256 (mediawiki-1.19.6.tar.gz) = xQVmNcCZuPxzYoBwR7G9LhDC5PsSkEv0rOOwuEdGk6I=
-SIZE (mediawiki-1.19.6.tar.gz) = 18550832
+SHA256 (mediawiki-1.19.8.tar.gz) = 738LrvXiaGC1D6UDEZYmiFvvfpsB4e/zDNCYBrKygAo=
+SIZE (mediawiki-1.19.8.tar.gz) = 18553824
>
>
> ----- Forwarded message from Thijs Kinkhorst <th...@debian.org> -----
>
> From: Thijs Kinkhorst <th...@debian.org>
> Date: Wed, 4 Sep 2013 12:18:36 +0200
> To: oss-secur...@lists.openwall.com
> Cc: Chris Steipp <cste...@wikimedia.org>
> Reply-To: oss-secur...@lists.openwall.com
> Importance: Normal
> User-Agent: SquirrelMail/1.4.23 [SVN]
> Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2,
> 1.20.7 and 1.19.8
>
> Hi,
>
> Mediawiki has announced the following security releases. The message
> contains a link to the patches for various release branches.
>
> Can CVE names be assigned please?
>
>
> thanks,
> Thijs
>
> ---------------------------- Original Message ----------------------------
> Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
> and 1.19.8
> From: "Chris Steipp" <cste...@wikimedia.org>
> Date: Tue, September 3, 2013 22:50
> To: mediawiki-annou...@lists.wikimedia.org
> "MediaWiki-l" <mediawik...@lists.wikimedia.org>
> "Wikimedia developers" <wikitec...@lists.wikimedia.org>
> --------------------------------------------------------------------------
>
> I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
> 1.19.8. These releases fix 3 security related bugs that could affect users
> of MediaWiki. Download links are given at the end of this email.
>
> * Mozilla, and other developers, reported a full path disclosure in
> MediaWiki, when an invalid language is specified in ResourceLoader
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
>
> * An internal review found several API modules allowed anti-CSRF tokens to
> be accessed via JSONP.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
>
> * Andreas Peetz reported an issue with the MediaWiki API where an invalid
> property name could be used for XSS with older versions of Internet
> Explorer.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
>
>
> Additionally, the following extensions have been updated to fix security
> issues:
>
> * CentralAuth: An internal review found an authentication regression that
> allowed an attacker to bypass authentication
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
>
> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
> example.php script
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
>
> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require
> anti-CSRF tokens for checking users
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
>
> * Wikibase: Liangent reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
>
> * LiquidThreads: Alex Monk reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
>
>
>
> Full release notes for 1.21.2:
> <https://www.mediawiki.org/wiki/Release_notes/1.21>
>
> Full release notes for 1.20.7:
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
>
> Full release notes for 1.19.8:
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
>
> **********************************************************************
> 1.21.2
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
>
> Patch to previous version (1.21.1):
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> 1.20.7
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
>
> Patch to previous version (1.20.6):
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> 1.19.8
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
>
> Patch to previous version (1.19.7):
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Extension:CentralAuth
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CentralAuth
>
> **********************************************************************
> Extension:SyntaxHighlight_GeSHi
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
>
> **********************************************************************
> Extension:CheckUser
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CheckUser
>
> **********************************************************************
> Extension:Wikibase
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:Wikibase
>
> **********************************************************************
> Extension:LiquidThreads
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:LiquidThreads
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
>
>
> ----- End forwarded message -----
>
>
