[Wikitech-l] [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8
Chris Steipp
csteipp at wikimedia.org
Tue Sep 3 20:50:16 UTC 2013
I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an invalid language is specified in ResourceLoader
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
* An internal review found several API modules allowed anti-CSRF tokens to
be accessed via JSONP.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
* Andreas Peetz reported an issue with the MediaWiki API where an invalid
property name could be used for XSS with older versions of Internet
Explorer.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
Additionally, the following extensions have been updated to fix security
issues:
* CentralAuth: An internal review found an authentication regression that
allowed an attacker to bypass authentication
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
* SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
example.php script
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
* CheckUser: Alex Monk reported and fixed that CheckUser didn't require
anti-CSRF tokens for checking users
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
* Wikibase: Liangent reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
* LiquidThreads: Alex Monk reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
Full release notes for 1.21.2:
<https://www.mediawiki.org/wiki/Release_notes/1.21>
Full release notes for 1.20.7:
<https://www.mediawiki.org/wiki/Release_notes/1.20>
Full release notes for 1.19.8:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
Patch to previous version (1.21.1):
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
Patch to previous version (1.20.6):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
Patch to previous version (1.19.7):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth
**********************************************************************
Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
**********************************************************************
Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser
**********************************************************************
Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase
**********************************************************************
Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
More information about the Wikitech-l
mailing list