|
Message-ID: <d531af465dc75824188fe42289cdf981.squirrel@aphrodite.kinkhorst.nl> Date: Wed, 4 Sep 2013 12:18:36 +0200 From: "Thijs Kinkhorst" <thijs@...ian.org> To: oss-security@...ts.openwall.com Cc: "Chris Steipp" <csteipp@...imedia.org> Subject: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 Hi, Mediawiki has announced the following security releases. The message contains a link to the patches for various release branches. Can CVE names be assigned please? thanks, Thijs ---------------------------- Original Message ---------------------------- Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 From: "Chris Steipp" <csteipp@...imedia.org> Date: Tue, September 3, 2013 22:50 To: mediawiki-announce@...ts.wikimedia.org "MediaWiki-l" <mediawiki-l@...ts.wikimedia.org> "Wikimedia developers" <wikitech-l@...ts.wikimedia.org> -------------------------------------------------------------------------- I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * Mozilla, and other developers, reported a full path disclosure in MediaWiki, when an invalid language is specified in ResourceLoader <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332> * An internal review found several API modules allowed anti-CSRF tokens to be accessed via JSONP. <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090> * Andreas Peetz reported an issue with the MediaWiki API where an invalid property name could be used for XSS with older versions of Internet Explorer. <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746> Additionally, the following extensions have been updated to fix security issues: * CentralAuth: An internal review found an authentication regression that allowed an attacker to bypass authentication <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included example.php script <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require anti-CSRF tokens for checking users <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019> * Wikibase: Liangent reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472> * LiquidThreads: Alex Monk reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320> Full release notes for 1.21.2: <https://www.mediawiki.org/wiki/Release_notes/1.21> Full release notes for 1.20.7: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.8: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.21.2 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz Patch to previous version (1.21.1): http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.20.7 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz Patch to previous version (1.20.6): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.19.8 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz Patch to previous version (1.19.7): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth ********************************************************************** Extension:SyntaxHighlight_GeSHi ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi ********************************************************************** Extension:CheckUser ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CheckUser ********************************************************************** Extension:Wikibase ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:Wikibase ********************************************************************** Extension:LiquidThreads ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:LiquidThreads _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.