Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 Mar 2012 22:46:35 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        reedy@...imedia.org
Subject: CVEs for MediaWiki security and maintenance release 1.18.2

These issues affect Mediawiki 1.18.1 (just stating the obvious =).

> I would like to announce the release of MediaWiki 1.18.2. Five security
> issues were discovered.
>
> It was discovered that the api had a cross-site request forgery (CSRF)
> vulnerability in the block/unblock modules. It was possible for a user
> account with the block privileges to block or unblock another user without
> providing a token.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

Please use CVE-2012-1578 for this issue.


> It was discovered that the resource loader can leak certain kinds of
private
> data across domain origin boundaries, by providing the data as an
executable
> JavaScript file. In MediaWiki 1.18 and later, this includes the
leaking of CSRF
> protection tokens. This allows compromise of the wiki's user accounts,
say by
> changing the user's email address and then requesting a password reset.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Please use CVE-2012-1579 for this issue.


> Jan Schejbal of Hatforce.com discovered a cross-site request forgery
(CSRF)
> vulnerability in Special:Upload. Modern browsers (since at least as
early as
> December 2010) are able to post file uploads without user interaction,
> violating previous security assumptions within MediaWiki.
>
> Depending on the wiki's configuration, this vulnerability could lead
to further
> compromise, especially on private wikis where the set of allowed file
types is
> broader than on public wikis. Note that CSRF allows compromise of a
wiki from
> an external website even if the wiki is behind a firewall.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

Please use CVE-2012-1580 for this issue.


> George Argyros and Aggelos Kiayias reported that the method used to
generate
> password reset tokens is not sufficiently secure. Instead we use
various more
> secure random number generators, depending on what is available on the
> platform. Windows users are strongly advised to install either the openssl
> extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
> of the cryptographic random number facility provided by Windows.
>
> Any extension developers using mt_rand() to generate random numbers in
contexts
> where security is required are encouraged to instead make use of the
> MWCryptRand class introduced with this release.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

Please use CVE-2012-1581 for this issue.


> A long-standing bug in the wikitext parser (bug 22555) was discovered
to have
> security implications. In the presence of the popular CharInsert
extension, it
> leads to cross-site scripting (XSS). XSS may be possible with other
extensions
> or perhaps even the MediaWiki core alone, although this is not
confirmed at
> this time. A denial-of-service attack (infinite loop) is also possible
> regardless of configuration.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

Please use CVE-2012-1582 for this issue.


> Full release notes:
>
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
> LEASE-NOTES-1.18;hb=1.18.2
> https://www.mediawiki.org/wiki/Release_notes/1.18
>
> Co-inciding with these security releases, the MediaWiki source code
> repository has
> moved from SVN (at
https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
> to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So
the relevant
> commits for these releases will not be appearing in our SVN
repository. If you use
> SVN checkouts of MediaWiki for version control, you need to migrate
these to Git.
> If you up are using tarballs, there should be no change in the process
for you.
>
> Please note that any WMF-deployed extensions have also been migrated
to Git
> also, along with some other non WMF-maintained ones.
>
> Please bear with us, some of the Git related links for this release
may not
> work instantly, but should later on.
>
> To do a simple Git clone, the command is:
> git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
>
> More information is available at https://www.mediawiki.org/wiki/Git
>
> For more help, please visit the #mediawiki IRC channel on freenode.net
> irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
> at mediawiki-l at lists.wikimedia.org.
>
>
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz
>
> Patch to previous version (1.18.1), without interface text:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz
> Interface text changes:
>
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz.sig
>
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz.
> sig
>
> Public keys:
> https://secure.wikimedia.org/keys.html
>
>
>
-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.