[Foundation-l] Security holes in Mediawiki
Andrew Gray
andrew.gray at dunelm.org.uk
Tue Sep 15 17:59:49 UTC 2009
2009/9/15 Gregory Kohs <thekohser at gmail.com>:
> I was sort of surprised to learn today that Mediawiki software has had 37
> security holes identified:
>
> http://akahele.org/2009/09/false-sense-of-security/
>
> Are most of these patched now, or are they still open? If still open, is
> the Foundation making site & user security more of a priority in 2010?
The most recent one (the only 2009 notice) which that blog links to is
explicitly resolved;
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0737
http://lists.wikimedia.org/pipermail/mediawiki-announce/2009-February/000083.html
Note that it was entered into the database on 25 February, two weeks
after solution and marked as not affecting the most recent release
version on the same day. Skimming down the list, it looks like most of
them are in the same boat -
CVE-2008-5688: "MediaWiki 1.8.1, and other versions before 1.13.3,
when the wgShowExceptionDetails variable is enabled..."
CVE-2008-5687: "MediaWiki 1.11, and other versions before 1.13.3, does
not properly protect against the download of backups of deleted
images..."
The database appears to record *known* problems in all versions of the
software, rather than just "open problems". I haven't checked each
one, but all the recent ones look solved, so I think we're safe - at
least, safe from the problems we know about, which is always the
important caveat!
--
- Andrew Gray
andrew.gray at dunelm.org.uk
More information about the foundation-l
mailing list