On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. We are providing this pre-announcement as a courtesy for administrators to be ready to accept the fix for these on Thursday. We will send another announcement email when the patches and tar files are ready for download.
* Vulnerabilities were found in both MediaWiki core and the CentralAuth extension. Successful exploitation could allow an attacker to compromise another user's account. Risk is considered moderate (CVSS Base Score: 4). * One vulnerability was discovered that could allow an attacker to prevent users from viewing Special:RecentChanges, and other pages, which could prevent the detection of SPAM or vandalism. Public wikis are encouraged to upgrade. * A flaw in the MediaWiki 1.20 API could allow a stored XSS. Exploitation requires user interaction or an existing XSS vulnerability, so risk of exploitation is low.
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading