-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A number of security issues in MediaWiki extensions have been fixed. Users of these extensions should update to the latest version.
* CentralAuth: Internal review found multiple issues that have been resolved: ** (bug 70469) Special:MergeAccount failed to validate the anti-csrf token in its forms when performing actions. https://bugzilla.wikimedia.org/show_bug.cgi?id=70469 ** (bug 70468) The internal function to attach multiple local wiki accounts into a single, global account did not re-check that the requesting user owned the "home wiki" for that username, but assumed that user did own this account. This could allow a user to add their local account edits to a global account that they didn't own. https://bugzilla.wikimedia.org/show_bug.cgi?id=70468 ** (bug 71749) Incomplete fix for bug 70468. The fix wasn't applied to the new feature where accounts were globalized automatically on login. https://bugzilla.wikimedia.org/show_bug.cgi?id=71749 ** (bug 70620) When globally renaming a user, the antispoof table, which prevents similar looking names from being created, weren't updated. This potentially allowed another user to register an account with a name that looked identical to the username of a user who had been globally renamed. https://bugzilla.wikimedia.org/show_bug.cgi?id=70620
* MobileFrontend: (bug 70009) Sherif Mansour discovered that POST parameters were being added to links generated by MobileFrontend, which could reveal the user's password after login. https://bugzilla.wikimedia.org/show_bug.cgi?id=70009
********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth
********************************************************************** Extension:MobileFrontend ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:MobileFrontend
wikitech-l@lists.wikimedia.org