[Wikitech-l] [MediaWiki-announce] MediaWiki 1.13.3, 1.12.2, 1.6.11 security update

Tim Starling tstarling at wikimedia.org
Mon Dec 15 11:09:28 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security release of MediaWiki 1.13.3, 1.12.1 and 1.6.11.
Some of the security issues affect *all* versions of MediaWiki except
the versions released today, so all site administrators are encouraged
to upgrade.

Users of the development (trunk) branch should upgrade to r44506 or later.

David Remahl of Apple's Product Security team has identified a number
of security issues in MediaWiki. Subsequent analysis by the MediaWiki
development team led to further discoveries. The issues with a
significant impact are as follows:

* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
[CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.
[CVE-2008-5252]

These four vulnerabilities are all fixed in these releases.

XSS (cross-site scripting) vulnerabilities allow an attacker to steal
an authorised user's login session, and to act as that user on the
wiki. The authorised user must visit a web page controlled by the
attacker in order to activate the attack. Intranet wikis are
vulnerable if the attacker can determine the intranet URL.

Local script injection vulnerabilities are like XSS vulnerabilities,
except that the attacker must have an account on the local wiki, and
there is no external site involved. The attacker uploads a script to
the wiki, which another user is tricked into executing, with the
effect that the attacker is able to act as the privileged user.

CSRF vulnerabilities allow an attacker to act as an authorised user on
the wiki, but unlike an XSS vulnerability, the attacker can only act
as the user in a specific and restricted way. The present CSRF
vulnerability allows pages to be edited, with forged revision
histories. Like an XSS vulnerability, the authorised user must visit
the malicious web page to activate the attack.

David Remahl also reminded us of some security-related configuration
issues:

* Since 1.11, by default, MediaWiki stores a backup of deleted images
in the images/deleted
  directory. If you do not want these images to be publically
accessible, make
  sure this directory is not accessible from the web. MediaWiki takes
some steps
  to avoid leaking these images, but these measures are not perfect.
* Set display_errors=off in your php.ini to avoid path disclosure via
PHP fatal
  errors. This is the default on most shared web hosts.
* Enabling MediaWiki's debugging features, such as
$wgShowExceptionDetails, may
  lead to path disclosure.

Users of MediaWiki 1.6.x (the last branch which supported PHP 4) are
strongly recommended to upgrade to PHP 5 and MediaWiki 1.13.3. It is
not necessary to upgrade to 1.6.11 first, just upgrade directly to the
latest version.

Upgrade FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_3/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_2/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_11/phase3/RELEASE-NOTES


**********************************************************************
    MEDIAWIKI   1.13.3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.tar.gz

Patch to previous version (1.13.2), without interface text:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
    MEDIAWIKI   1.12.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.tar.gz

Patch to previous version (1.12.1), without interface text:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.2.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
    MEDIAWIKI   1.6.11
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.tar.gz

Patch to previous version (1.6.10):
http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.6/mediawiki-1.6.11.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRjrodWgrCOij/sQRArfRAKCB2hGPDi0ykHUXndIA0kAgUdW9yACeLZm/
tRkFhqQOG7EWVcpvWDMVjLY=
=zgL1
-----END PGP SIGNATURE-----


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to: 
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce




More information about the Wikitech-l mailing list