-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Hello everyone.

This is a security announcement for the CentralAuth extension. There were 2 issues discovered in the extension, and all users are strongly encouraged to upgrade.

Issue 1: XSS in Special:GlobalGroupPermissions

Due to a lack of escaping in the Special:GlobalGroupPermissions page, an attacker would be able to inject arbitrary javascript into the page, potentially leading to the take over of other user's accounts.

The fix for this issue was accidentally included in another patch - fadb367ad (February 1, 2017). If you are using the master branch of the extension, you need to ensure that your copy is newer than February 1.

All versions of the REL1_29 branch have this fix.

For REL1_28 please ensure that you have the commit 1e9d612 (July 19, 2017)

For REL1_27 please ensure that you have the commit aa3401503 (July 19, 2017)

This issue was discovered by Grunny.

For more information, please see: https://phabricator.wikimedia.org/T134863

Issue 2: Open redirect in AutoLogin

An attacker can cause a user who is globally logged in, but not logged in on a specific wiki, to be redirected to an arbitrary interwiki link, even for interwiki prefixes without the iw_local bit set.

To get the fix for this issue, please ensure that your copy of CentralAuth is from at least July 19, 2017

Associated git commits: * Master: 6a84c0cb4e31 * REL1_29: 2a220af1e4ac * REL1_28: 4acfa2865a05 (Now requires at least 1.28.1) * REL1_27: 4db90e20808f (Now requires at least 1.27.2)

Associated bug: https://phabricator.wikimedia.org/T134931

Sincerely,

Brian Wolff Wikimedia Security Team