I would like to announce the release of MediaWiki 1.20.4 and 1.19.5. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email.
* An internal review discovered that specially crafted Lua function names could lead to XSS. https://bugzilla.wikimedia.org/show_bug.cgi?id=46084
* Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. https://bugzilla.wikimedia.org/show_bug.cgi?id=46859
* Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. https://bugzilla.wikimedia.org/show_bug.cgi?id=47251
Full release notes for 1.20.4: https://www.mediawiki.org/wiki/Release_notes/1.20
Full release notes for 1.19.5: https://www.mediawiki.org/wiki/Release_notes/1.19
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.20.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz
Patch to previous version (1.20.3): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** 1.19.5 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz
Patch to previous version (1.19.4): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html
********************************************************************** Extension:RSS ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:RSS