-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

This is a security release of MediaWiki 1.13.3, 1.12.1 and 1.6.11. Some of the security issues affect *all* versions of MediaWiki except the versions released today, so all site administrators are encouraged to upgrade.

Users of the development (trunk) branch should upgrade to r44506 or later.

David Remahl of Apple's Product Security team has identified a number of security issues in MediaWiki. Subsequent analysis by the MediaWiki development team led to further discoveries. The issues with a significant impact are as follows:

* An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and 1.13.2. [CVE-2008-5249] * A local script injection vulnerability affecting Internet Explorer clients for all MediaWiki installations with uploads enabled. [CVE-2008-5250] * A local script injection vulnerability affecting clients with SVG scripting capability (such as Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled. [CVE-2008-5250] * A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki installations since the feature was introduced in 1.3.0. [CVE-2008-5252]

These four vulnerabilities are all fixed in these releases.

XSS (cross-site scripting) vulnerabilities allow an attacker to steal an authorised user's login session, and to act as that user on the wiki. The authorised user must visit a web page controlled by the attacker in order to activate the attack. Intranet wikis are vulnerable if the attacker can determine the intranet URL.

Local script injection vulnerabilities are like XSS vulnerabilities, except that the attacker must have an account on the local wiki, and there is no external site involved. The attacker uploads a script to the wiki, which another user is tricked into executing, with the effect that the attacker is able to act as the privileged user.

CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, but unlike an XSS vulnerability, the attacker can only act as the user in a specific and restricted way. The present CSRF vulnerability allows pages to be edited, with forged revision histories. Like an XSS vulnerability, the authorised user must visit the malicious web page to activate the attack.

David Remahl also reminded us of some security-related configuration issues:

* Since 1.11, by default, MediaWiki stores a backup of deleted images in the images/deleted directory. If you do not want these images to be publically accessible, make sure this directory is not accessible from the web. MediaWiki takes some steps to avoid leaking these images, but these measures are not perfect. * Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal errors. This is the default on most shared web hosts. * Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may lead to path disclosure.

Users of MediaWiki 1.6.x (the last branch which supported PHP 4) are strongly recommended to upgrade to PHP 5 and MediaWiki 1.13.3. It is not necessary to upgrade to 1.6.11 first, just upgrade directly to the latest version.

Upgrade FAQ: http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading

Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_3/phase3/RELEASE-NOT... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_2/phase3/RELEASE-NOT... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_11/phase3/RELEASE-NOT...

********************************************************************** MEDIAWIKI 1.13.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.tar.gz

Patch to previous version (1.13.2), without interface text: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.3.patch.gz

GPG signatures: http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.3.patch.gz....

Public keys: https://secure.wikimedia.org/keys.html

********************************************************************** MEDIAWIKI 1.12.2 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.tar.gz

Patch to previous version (1.12.1), without interface text: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.2.patch.gz

GPG signatures: http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.patch.gz.sig http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.2.patch.gz....

Public keys: https://secure.wikimedia.org/keys.html

********************************************************************** MEDIAWIKI 1.6.11 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.tar.gz

Patch to previous version (1.6.10): http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.patch.gz

GPG signatures: http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.tar.gz.sig http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.patch.gz.sig

Public keys: https://secure.wikimedia.org/keys.html