MediaWiki-announce January 2011

mediawiki-announce@lists.wikimedia.org

1 participants
2 discussions

MediaWiki and PHP 5.3.5/5.2.17
by Tim Starling 12 Jan '11

12 Jan '11

If you're running MediaWiki on a 32-bit platform, you should upgrade to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux distribution which includes a fix for CVE-2010-4645. If you run MediaWiki on a 32-bit platform with an earlier version of PHP, you will be vulnerable to a denial-of-service vulnerability. CVE-2010-4645 is a vulnerability which causes the conversion from a string to a floating-point number to take forever, for certain special strings. PHP's weak typing means that such conversion can take place implicitly, for example in code like "$string > 0". I can confirm that MediaWiki has modules which will convert user input to a floating-point number. Conversion can be triggered by an attacker with no special privileges. PHP release announcement: http://www.php.net/archive/2011.php#id2011-01-06-1 Updated Ubuntu packages: http://www.ubuntu.com/usn/usn-1042-1 -- Tim Starling

1 0

MediaWiki security release 1.16.1
by Tim Starling 04 Jan '11

04 Jan '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would like to announce the release of MediaWiki 1.16.1, which is a security and maintenance release. Wikipedia user PleaseStand pointed out that MediaWiki has no protection against "clickjacking". With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki. Our fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options. For information about supported browsers, see: <https://developer.mozilla.org/en/the_x-frame-options_response_header> For more information about this vulnerability and the related patch, see: <https://bugzilla.wikimedia.org/show_bug.cgi?id=26561> Other changes in MediaWiki 1.16.1: * (bug 24981) Allow extensions to access SpecialUpload variables again * (bug 24724) list=allusers was out by 1 (shows total users - 1) * (bug 24166) Fixed API error when using rvprop=tags * For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload. * (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0) * (bug 25248) Fixed paraminfo errors in certain API modules. * The installer now has improved handling for situations where safe_mode is active or exec() and similar functions are disabled. * (bug 19593) Specifying --server in now works for all maintenance scripts. * Fixed $wgLicenseTerms register globals. Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NO… ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz Patch to previous version (1.16.0), without interface text: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz… Public keys: https://secure.wikimedia.org/keys.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0ixHAACgkQgkA+Wfn4zXmOcgCePqvDrlaw1FZLbtOfx/3tEIID GQkAn3eSSdTbBCOqXLvXNiG4Vm0kXl7r =haR1 -----END PGP SIGNATURE-----

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce January 2011