[MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

Chris Steipp csteipp at wikimedia.org
Mon Mar 4 19:19:22 UTC 2013


I would like to announce the release of MediaWiki 1.20.3 and 1.19.4.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST
when establishing an SSL connection, instead of '2'.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=44135>
<https://bugzilla.wikimedia.org/show_bug.cgi?id=42441>

* MediaWiki developer Krenair discovered that the full user object,
including password hash, could be returned when unblocking a user by
the API. Exploitation of this vulnerability requires the user to have
permissions to unblock users, by default this is limited to users in
the sysop group.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=43518>

* MediaWiki developer Platonides discovered that the maintenance
script mwdoc-filter.php did not check if it was being run via the CLI,
and could allow an attacker to read arbitrary files if PHP's
register_globals was enabled and the .htaccess file in the maintenance
directory, which by default denies access for all users, was disabled.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45355>


Full release notes for 1.20.3:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.4:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz

Patch to previous version (1.20.2), without interface text:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   1.19.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz

Patch to previous version (1.19.3), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html



More information about the MediaWiki-announce mailing list