[Systems] [Fwd: [MediaWiki-announce] MediaWiki security update: 1.15.4 and 1.16.0beta3]

Bernie Innocenti bernie at codewiz.org
Mon May 31 16:07:56 EDT 2010


I think we don't need to worry about these vulnerabilities, but it would
be great if someone could take the time to upgrade our wikis.

Our setup is a little complicated and there's no documentation yet: I
suggest doing the devel and test wikis first, to make some practice.

--------- Mensaje reenviado --------
De: Tim Starling <tstarling at wikimedia.org>
Reply-to: mediawiki-l at lists.wikimedia.org
Para: mediawiki-l at lists.wikimedia.org, wikitech-l at lists.wikimedia.org,
mediawiki-announce at lists.wikimedia.org
Asunto: [MediaWiki-announce] MediaWiki security update: 1.15.4 and
1.16.0beta3
Fecha: Fri, 28 May 2010 17:40:46 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.4 and
MediaWiki 1.16 beta 3.

Two security vulnerabilities were discovered.

Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.

Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.

These vulnerabilities are serious and all users are advised to
upgrade. Remember that CSRF and XSS vulnerabilities can be used even
against firewall-protected intranet installations, as long as the
attacker can guess the URL.

In addition to the security fix, MediaWiki 1.16 beta 3 also contains
many useful bug fixes to 1.16 beta 2. We expect to be able to do a
stable release of the 1.16 branch within the next week or two.

Both releases contain localisation updates courtesy of translatewiki.net.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_4/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta3/phase3/RELEASE-NOTES


**********************************************************************
   1.15.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.tar.gz

Patch to previous version (1.15.3), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   1.16 beta 3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.tar.gz

Patch to previous version (1.16.0beta2), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv/c34ACgkQgkA+Wfn4zXnCTgCfb7CnMBkZZpcffdUauy8i4LAV
KN4Anj41b/jPfzqZwNfmMIH1/8NMaG9/
=k2UI
-----END PGP SIGNATURE-----


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to: 
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce


-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/



More information about the Systems mailing list