Hello everyone,
The prior maintenance release announcement email titled
MediaWiki Security and Maintenance Releases: 1.23.6, 1.22.13 and 1.19.21
included the word "Security" in the subject. This inclusion was a
mistake. There are no security fixes included in these releases.
Best,
Mark A. Hershberger
(Wiki Release Team)
Hello everyone,
This is a notice that on Wednesday, October 28, 2014, between
20:00-22:00 UTC, we will release maintenance updates for current and
supported branches of the MediaWiki software. Downloads and patches will
be available at that time.
Best,
Mark. A. Hershberger
(Wiki Release Team)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A number of security issues in MediaWiki extensions have been fixed.
Users of these extensions should update to the latest version.
* CentralAuth: Internal review found multiple issues that have been resolved:
** (bug 70469) Special:MergeAccount failed to validate the anti-csrf
token in its forms when performing actions.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70469>
** (bug 70468) The internal function to attach multiple local wiki
accounts into a single, global account did not re-check that the
requesting user owned the "home wiki" for that username, but assumed
that user did own this account. This could allow a user to add their
local account edits to a global account that they didn't own.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70468>
** (bug 71749) Incomplete fix for bug 70468. The fix wasn't applied to
the new feature where accounts were globalized automatically on login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=71749>
** (bug 70620) When globally renaming a user, the antispoof table,
which prevents similar looking names from being created, weren't
updated. This potentially allowed another user to register an account
with a name that looked identical to the username of a user who had
been globally renamed.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70620>
* MobileFrontend: (bug 70009) Sherif Mansour discovered that POST
parameters were being added to links generated by MobileFrontend,
which could reveal the user's password after login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70009>
**********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth
**********************************************************************
Extension:MobileFrontend
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:MobileFrontend
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlQ1lJoACgkQ7h9mNGLYTwGdgAD/X7q6WfaBoE2SdKjZeoLE9yvs
wg07Fs4kytmmSQDXa4IBAKBgaYuhuRt5j+G5Q9YNdfCCkvlSqnz7heCIX1Ddn5ma
=cOb1
-----END PGP SIGNATURE-----
Hello everyone,
this is a notice that on Wednesday, 1st October 2014, between 20:00-22:00 UTC
we will release security updates for current and supported branches of the
MediaWiki software. Downloads and patches will be available at that time.
Best,
Markus Glaser
(Wiki Release Team)