gmane.org.wikimedia.mediawiki.announce

MediaWiki Security Release: 1.20.5 and 1.19.6

Chris Steipp — 2013-04-30T20:14:43

I would like to announce the release of MediaWiki 1.20.5 and 1.19.6.
These releases fix 2 security related issues that could affect users
of MediaWiki. Download links are given at the end of this email.

* Jan Schejbal / Hatforce.com reported that SVG script filtering could
be bypassed for Chrome and Firefox clients by using an encoding that
MediaWiki understood, but these browsers interpreted as UTF-8.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47304>

* Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46590>

Full release notes for 1.20.5:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.6:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************

Pre-Release Announcement for MediaWiki 1.19.6and 1.20.5

Chris Steipp — 2013-04-29T20:14:16

This is a notice that on Tuesday, April 30th between 20:00-21:00 UTC
(1-2pm PDT) Wikimedia Foundation will release security updates for
current and supported branches of the MediaWiki software. Downloads
and patches will be available at that time, with the git repositories
updated later that afternoon.

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki Security Release: 1.20.4 and 1.19.5

Chris Steipp — 2013-04-15T20:37:29

I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>


Full release notes for 1.20.4:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For inform

Pre-Release Announcement for MediaWiki 1.19.5and 1.20.4

Chris Steipp — 2013-04-12T22:09:40

This is a notice that on Monday, April 15th between 20:00-21:00 UTC
(1-2pm PDT) Wikimedia Foundation will release security updates for
current and supported branches of the MediaWiki software. Downloads
and patches will be available at that time, with the git repositories
updated later that afternoon. CVSS scores are between 4.3 and 7.1,
most users will want to update.

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki security release: 1.20.3 and 1.19.4

Chris Steipp — 2013-03-04T19:19:22

I would like to announce the release of MediaWiki 1.20.3 and 1.19.4.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST
when establishing an SSL connection, instead of '2'.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=44135>
<https://bugzilla.wikimedia.org/show_bug.cgi?id=42441>

* MediaWiki developer Krenair discovered that the full user object,
including password hash, could be returned when unblocking a user by
the API. Exploitation of this vulnerability requires the user to have
permissions to unblock users, by default this is limited to users in
the sysop group.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=43518>

* MediaWiki developer Platonides discovered that the maintenance
script mwdoc-filter.php did not check if it was being run via the CLI,
and could allow an attacker to read arbitrary files if PHP's
register_globals was enabled and the .ht

Pre-Release Announcement for MediaWiki 1.19.4and 1.20.3

Chris Steipp — 2013-03-01T19:08:46

This is a notice to let you know that on Monday, March 4th between
21:00-22:00 UTC (1-2pm PST) Wikimedia Foundation will release security
updates for current and supported branches of the MediaWiki software.
Downloads and patches will be available at that time, with the git
repositories updated later that afternoon.

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki maintenance release 1.20.2

Chris Steipp — 2012-12-04T23:20:45

I would like to announce the release of MediaWiki 1.20.2. This is a maintenance
release correcting issues from the 1.20.1 security release.

* (bug 42638) Fixes action=options&reset=1 in the API, and fixes unit tests.
* (bug 42370) Fixes backport of 60cc060 to use mDoneWrites instead of
   mTrxDoneWrites.

Full release notes:
<https://www.mediawiki.org/wiki/Release_notes/1.20>


**********************************************************************
Download:
<http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz>

Patch to previous version (1.20.1):
<http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.patch.gz>

GPG signatures:
<http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz.sig>
<http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.patch.gz.sig>

Public keys:
<https://secure.wikimedia.org/keys.html>

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/m

MediaWiki security release: 1.20.1,1.19.3 and 1.18.6

Chris Steipp — 2012-11-30T01:30:16

I would like to announce the release of MediaWiki 1.20.1, 1.19.3 and
1.18.6. These releases fix 3 security related bugs that could affect
users of MediaWiki. Download links are given at the end of this email
. Please note that support for the MediaWiki 1.18  branch ends this
month.

* During an internal review, it was discovered that MediaWiki core is
vulnerable to session fixation attacks. Successful exploitation could
allow an attacker to compromise another user's account. This issues
has been assigned CVE-2012-5391.  A similar vulnerability was also
identified in the CentralAuth Extension, and assigned CVE-2012-5395.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40995>
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40962>

* Wikipedia user PleaseStand discovered that a new API feature in
MediaWiki 1.20 allowed for HTML code to be injected into the
"editfont" option. Since this option only affects the current user,
exploitation for XSS is difficult. However, users of MediaWiki 1.20
are encouraged to upg

Pre-Release Announcement for MediaWiki 1.18.6,1.19.3, and 1.20.1

Chris Steipp — 2012-11-28T04:29:24

On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST)
Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. We are providing this
pre-announcement as a courtesy for administrators to be ready to
accept the fix for these on Thursday. We will send another
announcement email when the patches and tar files are ready for
download.

* Vulnerabilities were found in both MediaWiki core and the
CentralAuth extension. Successful exploitation could allow an attacker
to compromise another user's account. Risk is considered moderate
(CVSS Base Score: 4).
* One vulnerability was discovered that could allow an attacker to
prevent users from viewing Special:RecentChanges, and other pages,
which could prevent the detection of SPAM or vandalism. Public wikis
are encouraged to upgrade.
* A flaw in the MediaWiki 1.20 API could allow a stored XSS.
Exploitation requires user interaction or an existing XSS
vulnerability, so risk of exploitation is low.

For infor

MediaWiki 1.20.0 released

Mark A. Hershberger — 2012-11-07T01:22:40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm happy to announce the availability of the first stable release
of the new MediaWiki 1.20 release series.

MediaWiki 1.20 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.20 file for the full list of changes
in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports.

== What's new? ==

MediaWiki 1.20 brings the usual host of various bugfixes and new features.

* Minimum PHP version is now 5.3.2.

* New diff view, greatly improved in clarity especially for
whitespace and other small changes and color-blind users.

* New special page Special:MostInterwikis.

* New magic word {{PAGEID}} which gives the current page ID.

* The info action has been reimplemented.

Internationalization:

* New languages supported: Emilian (egl), Tornedalen Finnish (fit),
Mizo (lus), Santali (sat),

MediaWiki security release: 1.19.2 and 1.18.5

Chris Steipp — 2012-08-31T04:26:30

I would like to announce the release of MediaWiki 1.19.2 and 1.18.5.
These releases fix 6 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* Wikipedia administrator Writ Keeper discovered a stored XSS (HTML
injection) vulnerability. This was possible due to the handling of
link text on File: links for nonexistent files. MediaWiki 1.16 and
later is affected. For more details, see
<https://bugzilla.wikimedia.org/show_bug.cgi?id=39700>

* User Fomafix reported several DOM-based XSS vulnerabilities, made
possible by a combination of loose filtering of the uselang parameter,
and JavaScript gadgets on various language Wikipedias. For more
details, see <https://bugzilla.wikimedia.org/show_bug.cgi?id=37587>

* During internal review, it was discovered that CSRF tokens,
available via the api, were not protected with X-Frame-Options
headers. This could lead to a CSRF vulnerability if the API response
is embedded in an external website using an iframe. For

MediaWiki security release 1.19.1

Sam Reed — 2012-06-13T21:19:53

I would like to announce the release of MediaWiki 1.19.1. One security issue
was discovered.

Both Chris Steipp and Formafix discovered that the uselang http parameter
was vulnerable to XSS.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=36938

Chris Steipp also improved the blacklisting of bad elements in SVG files.
This includes catching known
hostile files, and also disallowing the upload of svg files that include
remote resources.

This is work is part of an on-going effort to prevent exploits being hidden
in uploaded SVG files.

MediaWiki 1.19.1 also received a couple of other non-security bugfixes.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.19;hb=1.19.1

https://www.mediawiki.org/wiki/Release_notes/1.19

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.1.tar.gz

Patch to previous version (1.19.0):
http://download.wikimedi

MediaWiki security release 1.18.4

Sam Reed — 2012-06-13T21:19:51

I would like to announce the release of MediaWiki 1.18.4. One security issue
was discovered.

Both Chris Steipp and Formafix discovered that the uselang http parameter
was vulnerable to XSS.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=36938

Chris Steipp also improved the blacklisting of bad elements in SVG files.
This includes catching known
hostile files, and also disallowing the upload of svg files that include
remote resources.

This is work is part of an on-going effort to prevent exploits being hidden
in uploaded SVG files.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.18;hb=1.18.4

https://www.mediawiki.org/wiki/Release_notes/1.18

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.tar.gz

Patch to previous version (1.18.3):
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.patch.gz

GPG signatures:
http://do

MediaWiki security release 1.17.5

Sam Reed — 2012-06-13T21:19:47

I would like to announce the release of MediaWiki 1.17.5. One security issue
was discovered.

Both Chris Steipp and Formafix discovered that the uselang http parameter
was vulnerable to XSS.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=36938

Chris Steipp also improved the blacklisting of bad elements in SVG files.
This includes catching known
hostile files, and also disallowing the upload of svg files that include
remote resources.

This is work is part of an on-going effort to prevent exploits being hidden
in uploaded SVG files.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES;hb=1.17.5

https://www.mediawiki.org/wiki/Release_notes/1.17

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.5.tar.gz

Patch to previous version (1.17.4):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.5.patch.gz

GPG signatures:
http://downloa

MediaWiki 1.19.0 released

Sam Reed — 2012-05-02T14:31:31

I'm happy to announce the availability of the first stable release
of the new MediaWiki 1.19 release series.

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes in
this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the
beta
release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable

MediaWiki 1.19.0rc1

Sam Reed — 2012-04-26T15:25:48

I'm happy to announce the availability of the first release candidate
release of the new MediaWiki 1.19 release series.

Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.19.0.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of v

MediaWiki maintenance release 1.18.3

Sam Reed — 2012-04-26T15:25:43

I would like to announce the release of MediaWiki 1.18.3. This release
correct issues

from the 1.18.2 security release, and also some other bugs.

 

* (bug 35446) Using "{{nse:}}" with an invalid namespace name no longer
throws

  a PHP warning.

* (bug 35567) The whole password reminder e-mail is now sent in the same
language.

* (bug 35961) Hash comparison should always be strict.

* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php

  on line 598.

* Fix broken email confirmation expiration caused by MWCryptRand changes.

 

Full release notes:

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES-1.18;hb=REL1_18

https://www.mediawiki.org/wiki/Release_notes/1.18

 

 

**********************************************************************

Download:

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.tar.gz

 

Patch to previous version (1.18.2):

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.patch.gz

 

GPG signature

MediaWiki maintenance release 1.17.4

Sam Reed — 2012-04-26T15:25:39

I would like to announce the release of MediaWiki 1.17.4. This release
correct issues
from the 1.17.3 security release, and also some other bugs.

* (bug 35961) Hash comparison should always be strict.
* Fix broken email confirmation expiration caused by MWCryptRand changes.
* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php
  on line 598.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES;hb=REL1_17
https://www.mediawiki.org/wiki/Release_notes/1.17


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz

Patch to previous version (1.17.3):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______

MediaWiki 1.19.0beta2

Sam Reed — 2012-03-22T19:37:34

I'm happy to announce the availability of the second beta release of the
new MediaWiki 1.19 release series.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Five security issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the d

MediaWiki security and maintenance release1.17.3

Sam Reed — 2012-03-22T19:37:29

I would like to announce the release of MediaWiki 1.17.3. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as

MediaWiki security and maintenance release1.18.2

Sam Reed — 2012-03-22T19:37:32

I would like to announce the release of MediaWiki 1.18.2. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as