[Mediawiki-l] Question regarding Release 1.15.2
Rowe, Dolores A
dolores.a.rowe at boeing.com
Tue Mar 30 19:20:05 UTC 2010
Teammates,
Do the security updates described below for MediaWiki version 1.15.2 pertain to
every version of MediaWiki released up to this point ? Or do they pertain to the
1.15.x branch only ?
Thank you for sharing this information if you know it.
Lori
-----Original Message-----
From: mediawiki-announce-bounces at lists.wikimedia.org [mailto:mediawiki-announce-bounces at lists.wikimedia.org] On Behalf Of mediawiki-announce-request at lists.wikimedia.org
Sent: Tuesday, March 09, 2010 6:00 AM
To: mediawiki-announce at lists.wikimedia.org
Subject: MediaWiki-announce Digest, Vol 24, Issue 1
Send MediaWiki-announce mailing list submissions to
mediawiki-announce at lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
or, via email, send a message with subject or body 'help' to
mediawiki-announce-request at lists.wikimedia.org
You can reach the person managing the list at
mediawiki-announce-owner at lists.wikimedia.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of MediaWiki-announce digest..."
Today's Topics:
1. MediaWiki security update: 1.15.2 (Tim Starling)
----------------------------------------------------------------------
Message: 1
Date: Mon, 08 Mar 2010 15:49:28 -0800
From: Tim Starling <tstarling at wikimedia.org>
Subject: [MediaWiki-announce] MediaWiki security update: 1.15.2
To: mediawiki-announce at lists.wikimedia.org,
mediawiki-l at lists.wikimedia.org, wikitech-l at lists.wikimedia.org
Message-ID: <4B958D08.1070803 at wikimedia.org>
Content-Type: text/plain; charset=UTF-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a security and bugfix release of MediaWiki 1.15.2.
Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected.
Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using.
MediaWiki is not compatible with PHP 5.3.1 due to a bug in that release, which is fixed in PHP 5.3.2. This release of MediaWiki will refuse to upgrade if an affected version of PHP is present. Note that local or distribution-specific backports of the PHP bug fix are supported. See http://bugs.php.net/50394 for details.
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.tar.gz
Patch to previous version (1.15.1), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.2.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.2.patch.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkuVjQcACgkQgkA+Wfn4zXkYqACfRXMeQdbHT2ep+xEbkgPpz+BA
5pgAoMhuJQ6UJrW8Wdh/Ji9VA/h8MRH0
=CDe6
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
MediaWiki-announce mailing list
MediaWiki-announce at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
End of MediaWiki-announce Digest, Vol 24, Issue 1
*************************************************
More information about the MediaWiki-l
mailing list