oss-sec mailing list archives
Re: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 04 Sep 2013 23:47:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/04/2013 04:18 AM, Thijs Kinkhorst wrote:
Hi, Mediawiki has announced the following security releases. The message contains a link to the patches for various release branches. Can CVE names be assigned please? thanks, Thijs
Top posting because I'm lazy CVE-2013-4301 MediaWiki full path disclosure in MediaWiki 46332 CVE-2013-4302 MediaWiki CSRF token access 49090 CVE-2013-4303 MediaWiki XSS with IE 52746 CVE-2013-4304 MediaWiki CentralAuth auth bypass CVE-2013-4305 MediaWiki SyntaxHighlight_GeSHi XSS CVE-2013-4306 MediaWiki CheckUser CSRF bypass CVE-2013-4307 MediaWiki Wikibase XSS CVE-2013-4308 MediaWiki LiquidThreads XSS
---------------------------- Original Message ---------------------------- Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 From: "Chris Steipp" <csteipp () wikimedia org> Date: Tue, September 3, 2013 22:50 To: mediawiki-announce () lists wikimedia org "MediaWiki-l" <mediawiki-l () lists wikimedia org> "Wikimedia developers" <wikitech-l () lists wikimedia org> -------------------------------------------------------------------------- I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * Mozilla, and other developers, reported a full path disclosure in MediaWiki, when an invalid language is specified in ResourceLoader <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332> * An internal review found several API modules allowed anti-CSRF tokens to be accessed via JSONP. <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090> * Andreas Peetz reported an issue with the MediaWiki API where an invalid property name could be used for XSS with older versions of Internet Explorer. <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746> Additionally, the following extensions have been updated to fix security issues: * CentralAuth: An internal review found an authentication regression that allowed an attacker to bypass authentication <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included example.php script <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require anti-CSRF tokens for checking users <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019> * Wikibase: Liangent reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472> * LiquidThreads: Alex Monk reported and fixed an XSS <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320> Full release notes for 1.21.2: <https://www.mediawiki.org/wiki/Release_notes/1.21> Full release notes for 1.20.7: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.8: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> **********************************************************************
1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz Patch to previous version (1.21.1): http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html **********************************************************************
1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz Patch to previous version (1.20.6): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html **********************************************************************
1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz Patch to previous version (1.19.7): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html **********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth **********************************************************************
Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi **********************************************************************
Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser **********************************************************************
Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase **********************************************************************
Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSKBrpAAoJEBYNRVNeJnmTppAQAKNq+iTLxIl3CQZn5SUq+O1n 6JQ/VlVOMs6AGf3dmzknCEi+Fee21IayGgJDqeNXKZLM/bXlI38bLUr+TdizFUmD Xh+OF5xAfrOMJ6PbTlctGz2ZWt/cxfZCn/CyMyvxzxmsm2m8VMtorROSNglfdaNT H/MDtZn3E5wej5/xP9vQeiaTNom64Pd6SPAByG2N9F3ZeEn/ic5a814s4WcNWmyK T75BEcEOqsVoZj1jmQxOn5GewdJshmSn2vBZH+4JUJlaelmScSlfuFkWHuqh4cdJ 1pGf6QgdGIIou1FgwmowSljTiCIcLwdu7a+ZnQDpAkBs4GgY3ya+Fc1+z5Lihk7U pctDZOwEpTh36ct0XBiU4jSNn69t3GGEcKre5ZKjHG2YlvthSIQhJQChGLQasatr tTizJZyQba56OqlRgH8SSg29E6ovwKS6MqCfK0EYw1FZRNPc5/x0AUaXqMc5p9T+ 2lNBicolIBzaaQnxwYG0Te7NOutCIAQCJf1jidg7vzSI7GBLMpW46nCu067qpmCN sLSLxHXHeNB72hIZR5xcSufW/D6HMDSbtT9fpyDzVx1SqFQUZl1IUN2KM1eM5gpT Pd5W3AxfkuOH4IVmtZBTwoKaDEfoc50DxDuf19XCwthoddZGVHDGlM+Bxw+BSz7P BNwnSTMyb9UyTIiP5U39 =cPdc -----END PGP SIGNATURE-----
Current thread:
- CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 Thijs Kinkhorst (Sep 04)
- Re: CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8 Kurt Seifried (Sep 04)