I would like to announce the release of MediaWiki 1.20.3 and 1.19.4. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email.
* By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST when establishing an SSL connection, instead of '2'. https://bugzilla.wikimedia.org/show_bug.cgi?id=44135 https://bugzilla.wikimedia.org/show_bug.cgi?id=42441
* MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. https://bugzilla.wikimedia.org/show_bug.cgi?id=43518
* MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. https://bugzilla.wikimedia.org/show_bug.cgi?id=45355
Full release notes for 1.20.3: https://www.mediawiki.org/wiki/Release_notes/1.20
Full release notes for 1.19.4: https://www.mediawiki.org/wiki/Release_notes/1.19
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.20.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz
Patch to previous version (1.20.2), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.19.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz
Patch to previous version (1.19.3), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html