I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and 1.19.10. These releases fix a number of security related bugs that could affect users of MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list of changes in this version. Download links are given at the end of this email.
== Security fixes ==
* MediaWiki user Michael M reported that the fix for bug 55332 (CVE-2013-4568) allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS. (CVE-2013-6451) https://bugzilla.wikimedia.org/show_bug.cgi?id=58088
* Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lead to XSS when an XSL was used to include JavaScript. (CVE-2013-6452) https://bugzilla.wikimedia.org/show_bug.cgi?id=57550
* During internal review, it was discovered that MediaWiki's SVG sanitization could be bypassed when the XML was considered invalid. (CVE-2013-6453) https://bugzilla.wikimedia.org/show_bug.cgi?id=58553
* Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454) https://bugzilla.wikimedia.org/show_bug.cgi?id=58472
* During internal review, it was discovered that MediaWiki displayed some information about deleted pages in the log API, enhanced RecentChanges, and user watchlists. (CVE-2013-6472) https://bugzilla.wikimedia.org/show_bug.cgi?id=58699
Additionally, the following extensions have been updated to fix security issues:
* TimedMediaHandler: Bawolff discovered an XSS vulnerability with the way the extension stored and used HTML for showing videos. (CVE-2013-4574) https://bugzilla.wikimedia.org/show_bug.cgi?id=56699
* Scribuntu: Internal review found a NULL pointer dereference in php-luasandbox, which could be used for DoS attacks. (CVE-2013-4570) https://bugzilla.wikimedia.org/show_bug.cgi?id=54527
* Scribuntu: Internal review found a Buffer Overflow in php-luasandbox. It's not know if this could be use for code execution on the server. (CVE-2013-4571) https://bugzilla.wikimedia.org/show_bug.cgi?id=49705
* CentralAuth: Eran Roz reported that MediaWiki usernames could be leaked to other websites. Javascript returned for CentralAuth's login would update the page DOM with the username, even when included on other sites. (CVE-2013-6455) https://bugzilla.wikimedia.org/show_bug.cgi?id=57081
* SemanticForms: Ravindra Singh Rathore reported a missing CSRF check to Mozilla, who reported the issue to us. Several other forms in the extension were also fixed. https://bugzilla.wikimedia.org/show_bug.cgi?id=57025
== Bug fixes in 1.22.1 ==
* (bug 59945) 1.22 tarball offers Extension SimpleAntiSpam which is supposed to be in core.
* (bug 58178) Restore compatibility with curl < 7.16.2.
* (bug 56931) Updated the plural rules to CLDR 24. They are in new format which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the JavaScript evaluator were updated to support the new format. Plural rules for some languages have changed, most notably Russian. Affected software messages have been updated and marked for review at translatewiki.net. This change is backported from the development branch of MediaWiki 1.23.
* (bug 58434) The broken installer for database backend Oracle was fixed.
* (bug 58167) The web installer no longer throws an exception when PHP is compiled without support for MySQL yet with support for another DBMS.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
* (bug 47055) Changed FOR UPDATE handling in Postgresql
Full release notes for 1.22.1: https://www.mediawiki.org/wiki/Release_notes/1.22
Full release notes for 1.21.4: https://www.mediawiki.org/wiki/Release_notes/1.21
Full release notes for 1.19.9: https://www.mediawiki.org/wiki/Release_notes/1.19
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.22.1 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.tar.gz
Patch to previous version (1.22.0), without interface text: http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.22/mediawiki-i18n-1.22.1.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.1.tar.gz.si... http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.22/mediawiki-i18n-1.22.1.patch.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.21.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.tar.gz
Patch to previous version (1.21.3), without interface text: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.4.tar.gz.si... http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.4.patch.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.19.10 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.tar.gz
Patch to previous version (1.19.9), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.10.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.10.tar.gz.s... http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.10.patch.gz...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Extension:TimedMediaHandler ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:TimedMediaHandler
********************************************************************** Extension:Scribunto ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:Scribunto
********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth
********************************************************************** Extension:SemanticForms ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:SemanticForms
wikitech-l@lists.wikimedia.org