oss-sec mailing list archives

Re: CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5


From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 16 Apr 2013 13:08:39 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 06:00 AM, Thijs Kinkhorst wrote:
Hi all,

Please assign CVE names for the issues below in Mediawiki. The
announcement contains references to bug numbers which have all the 
details.

Unfortunately they were on a tight schedule and I was also busy on
other things so it didn't get done in time for the public announcement.



Thanks, Thijs

---------------------------- Original Message
---------------------------- Subject: [MediaWiki-announce]
MediaWiki Security Release: 1.20.4 and 1.19.5 From:    "Chris
Steipp" <csteipp () wikimedia org> Date:    Mon, April 15, 2013 22:37 
To:      mediawiki-announce () lists wikimedia org "MediaWiki-l"
<mediawiki-l () lists wikimedia org> "Wikimedia developers"
<wikitech-l () lists wikimedia org> 
--------------------------------------------------------------------------

 I would like to announce the release of MediaWiki 1.20.4 and
1.19.5. These releases fix 3 security related bugs that could
affect users of MediaWiki. Download links are given at the end of
this email.

* An internal review discovered that specially crafted Lua
function names could lead to XSS. 
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

This was assigned CVE-2013-1951

* Daniel Franke reported that during SVG parsing, MediaWiki failed
to prevent XML external entity (XXE) processing. This could lead to
local file disclosure, or potentially remote command execution in 
environments that have enabled expect:// handling. 
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and 
Extension:RSS failed to prevent XML external entity (XXE)
processing. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>

As per this:

http://seclists.org/oss-sec/2013/q2/5

no CVE's were assigned for the XXE stuff, upstream agrees. Steven can
you confirm this is the correct action to take?

Full release notes for 1.20.4: 
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5: 
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see 
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************


1.20.4
**********************************************************************


Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz

 Patch to previous version (1.20.3): 
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz

 GPG signatures: 
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig


http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig

Public keys: https://secure.wikimedia.org/keys.html


**********************************************************************


1.19.5
**********************************************************************


Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

 Patch to previous version (1.19.4): 
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz

 GPG signatures: 
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig


http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig

Public keys: https://secure.wikimedia.org/keys.html

**********************************************************************


Extension:RSS
**********************************************************************


Information and Download:
https://www.mediawiki.org/wiki/Extension:RSS

_______________________________________________ MediaWiki
announcements mailing list To unsubscribe, go to: 
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbaG3AAoJEBYNRVNeJnmTp0oQANKV7zFSJHnSa3QYgrujHd4v
MPkq1eTnXGYb86yW48nOqgNyd/n02WFTWgYLYfh+fOXWC2mM+lNfEyl0lrtp6fAK
S/o6yxfQJcVYGVO3R7eemTAqBRSEdchK6yH/Fm7xqJOatyzqzh1XZbEHtzv1wCKw
dDlkc3kIVZRViOxERTTbZ+HTjzivirRsGgnJ1O2ZTrZeX4rpXd4zBi7iEv2uOSQH
YJiWAOYftMow53LXZltXhlCe0d1QMgIjljYfKj3jwjiEbTUI1fD2Zy/gT56QhmrJ
8Khlk70I3zsdZCHVyO67/T0Z6sWla7OAhOnAqOWlcAQoKlgStFwozX1mHQ2fJ+lJ
zvpXD5dJ2efUFsJPqa3njDmUQsoFLU6HLdJqPvQC5E8ObVd5sU0L1yaD6tv2CL5S
SAdeIoXEXhZs7wZrBDfFx1zTmpyhnKUkjebL+pQPgRZhqhAGftoxmzcCMnA1G8n2
xMI9QEHSZtCq8lHB272lJAszWhS/kuc7x/zktBIrutC1EV6hrNE7HUEIUYHF7H7F
M8B2pnQdAW06n7TmL1dlF0637yL0cf3VQiSRGsHXnhhvsXFhNT1+xdjWYkHZROPx
E9olmi8lKpYctMyAkuoF727bOicNEWX5ZBfmjYBnbGkL65ZxwTneuAqdxe4wz4VH
tp1ruVkgJaFGA6EXOxoG
=IjH9
-----END PGP SIGNATURE-----


Current thread: