I would like to announce the release of MediaWiki 1.20.1, 1.19.3 and 1.18.6. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email . Please note that support for the MediaWiki 1.18 branch ends this month.
* During an internal review, it was discovered that MediaWiki core is vulnerable to session fixation attacks. Successful exploitation could allow an attacker to compromise another user's account. This issues has been assigned CVE-2012-5391. A similar vulnerability was also identified in the CentralAuth Extension, and assigned CVE-2012-5395. https://bugzilla.wikimedia.org/show_bug.cgi?id=40995 https://bugzilla.wikimedia.org/show_bug.cgi?id=40962
* Wikipedia user PleaseStand discovered that a new API feature in MediaWiki 1.20 allowed for HTML code to be injected into the "editfont" option. Since this option only affects the current user, exploitation for XSS is difficult. However, users of MediaWiki 1.20 are encouraged to upgrade. https://bugzilla.wikimedia.org/show_bug.cgi?id=42202
* Wikipedia user PleaseStand discovered that a PCRE backtrack limit could easily be exceeded, causing recent changes and history pages to fail to display. Since these pages are often used for fighting spam and vandalism, public wikis are encouraged to update. https://bugzilla.wikimedia.org/show_bug.cgi?id=41400
Full release notes for 1.20.1: https://www.mediawiki.org/wiki/Release_notes/1.20
Full release notes for 1.19.3: https://www.mediawiki.org/wiki/Release_notes/1.19
Full release notes for 1.18.6: https://www.mediawiki.org/wiki/Release_notes/1.18
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.20.1 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.tar.gz
Patch to previous version (1.20.0), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.1.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.1.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.19.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.tar.gz
Patch to previous version (1.19.2), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.3.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.3.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.18.6 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.tar.gz
Patch to previous version (1.18.5): http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.tar.gz.sig http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: http://www.mediawiki.org/wiki/Extension:CentralAuth
mediawiki-announce@lists.wikimedia.org