I would like to announce the release of MediaWiki 1.17.1. Two security issues were discovered.
Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
The second issue was found by Tim Starling, who discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.1.tar.gz
Patch to previous version (1.17.0), without interface text: http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.15.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.1.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.1.patch.gz. sig
Public keys: https://secure.wikimedia.org/keys.html
On Tue, Nov 29, 2011 at 3:13 AM, Sam Reed reedy@wikimedia.org wrote:
Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
Haha, I proposed the Special:BadTitle solution over a year ago:)
wikitech-l@lists.wikimedia.org