[MediaWiki-announce] MediaWiki Security Releases: 1.22.1, 1.21.4 and 1.19.10

Chris Steipp csteipp at wikimedia.org
Tue Jan 14 07:34:32 UTC 2014


I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and
1.19.10.
These releases fix a number of security related bugs that could affect
users of
MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes
several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list
of
changes in this version. Download links are given at the end of this email.


== Security fixes ==

* MediaWiki user Michael M reported that the fix for bug 55332
(CVE-2013-4568)
allowed insertion of escaped CSS values which could pass the CSS validation
checks, resulting in XSS. (CVE-2013-6451)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58088>

* Chris from RationalWiki reported that SVG files could be uploaded that
include external stylesheets, which could lead to XSS when an XSL was used
to
include JavaScript. (CVE-2013-6452)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=57550>

* During internal review, it was discovered that MediaWiki's SVG
sanitization
could be bypassed when the XML was considered invalid. (CVE-2013-6453)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58553>

* Durign internal review, it was discovered that MediaWiki's CSS
sanitization
did not filter -o-link attributes, which could be used to execute
JavaScript in
Opera 12. (CVE-2013-6454)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58472>

* During internal review, it was discovered that MediaWiki displayed some
information about deleted pages in the log API, enhanced RecentChanges, and
user watchlists. (CVE-2013-6472)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=58699>

Additionally, the following extensions have been updated to fix security
issues:

* TimedMediaHandler: Bawolff discovered an XSS vulnerability with the way
the
extension stored and used HTML for showing videos. (CVE-2013-4574)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=56699>

* Scribuntu: Internal review found a NULL pointer dereference in
php-luasandbox, which could be used for DoS attacks. (CVE-2013-4570)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54527>

* Scribuntu: Internal review found a Buffer Overflow in php-luasandbox. It's
not know if this could be use for code execution on the server.
(CVE-2013-4571)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49705>

* CentralAuth: Eran Roz reported that MediaWiki usernames could be leaked to
other websites. Javascript returned for CentralAuth's login would update the
page DOM with the username, even when included on other sites.
(CVE-2013-6455)
<https://bugzilla.wikimedia.org/show_bug.cgi?id=57081>

* SemanticForms: Ravindra Singh Rathore reported a missing CSRF check to
Mozilla, who reported the issue to us. Several other forms in the extension
were also fixed.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=57025>

== Bug fixes in 1.22.1 ==

* (bug 59945) 1.22 tarball offers Extension SimpleAntiSpam which is supposed
to be in core.

* (bug 58178) Restore compatibility with curl < 7.16.2.

* (bug 56931) Updated the plural rules to CLDR 24. They are in new format
which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
the JavaScript evaluator were updated to support the new format. Plural
rules
for some languages have changed, most notably Russian. Affected software
messages have been updated and marked for review at translatewiki.net.
This change is backported from the development branch of MediaWiki 1.23.

* (bug 58434) The broken installer for database backend Oracle was fixed.

* (bug 58167) The web installer no longer throws an exception when PHP is
  compiled without support for MySQL yet with support for another DBMS.

* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
to appear blank or with missing text.

* (bug 47055) Changed FOR UPDATE handling in Postgresql


Full release notes for 1.22.1:
<https://www.mediawiki.org/wiki/Release_notes/1.22>

Full release notes for 1.21.4:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.19.9:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.22.1
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.tar.gz

Patch to previous version (1.22.0), without interface text:
http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.22/mediawiki-i18n-1.22.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.22/mediawiki-1.22.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.22/mediawiki-i18n-1.22.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.21.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.tar.gz

Patch to previous version (1.21.3), without interface text:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.4.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.19.10
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.tar.gz

Patch to previous version (1.19.9), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.10.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.10.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.10.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.10.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   Extension:TimedMediaHandler
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:TimedMediaHandler

**********************************************************************
   Extension:Scribunto
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Scribunto

**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:SemanticForms
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SemanticForms


More information about the MediaWiki-announce mailing list