The following announcement details a breaking change to the API. The change is already live on WMF wikis.
- Carl
---------- Forwarded message ---------- From: Tim Starling tstarling@wikimedia.org Date: Tue, Apr 6, 2010 at 9:03 PM Subject: [Wikitech-l] MediaWiki security update: 1.15.3 and 1.16.0beta2 To: mediawiki-l@lists.wikimedia.org, wikitech-l@lists.wikimedia.org, mediawiki-announce@lists.wikimedia.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki 1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
********************************************************************** 1.15.3 **********************************************************************
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOT...
Download: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz
Patch to previous version (1.15.2), without interface text: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.16.0beta2 ********************************************************************** Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEAS...
Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz
Patch to previous version (1.16.0beta1), without interface text: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patc...
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz.si... http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz.... http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patc...
Public keys: https://secure.wikimedia.org/keys.html
Forwarding to API annouce list, apologies for double-post on API list. Please don't respond to this message, respond to the existing thread on the mediawiki-api list instead.
Roan Kattouw (Catrope)
---------- Forwarded message ---------- From: Carl (CBM) cbm.wikipedia@gmail.com Date: 2010/4/7 Subject: [Mediawiki-api] Fwd: MediaWiki security update: 1.15.3 and 1.16.0beta2 To: mediawiki-api@lists.wikimedia.org
The following announcement details a breaking change to the API. The change is already live on WMF wikis.
- Carl
---------- Forwarded message ---------- From: Tim Starling tstarling@wikimedia.org Date: Tue, Apr 6, 2010 at 9:03 PM Subject: [Wikitech-l] MediaWiki security update: 1.15.3 and 1.16.0beta2 To: mediawiki-l@lists.wikimedia.org, wikitech-l@lists.wikimedia.org, mediawiki-announce@lists.wikimedia.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki 1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients using it will need to be updated. We apologise for making such a disruptive change in a minor release, but we feel that security is paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
********************************************************************** 1.15.3 **********************************************************************
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOT...
Download: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz
Patch to previous version (1.15.2), without interface text: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.16.0beta2 ********************************************************************** Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEAS...
Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz
Patch to previous version (1.16.0beta1), without interface text: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patc...
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz.si... http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz.... http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patc...
Public keys: https://secure.wikimedia.org/keys.html
_______________________________________________ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
_______________________________________________ Mediawiki-api-announce mailing list Mediawiki-api-announce@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce
mediawiki-api@lists.wikimedia.org