Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 Mar 2012 22:46:35 -0600
From: Kurt Seifried <>
To: "" <>,
Subject: CVEs for MediaWiki security and maintenance release 1.18.2

These issues affect Mediawiki 1.18.1 (just stating the obvious =).

> I would like to announce the release of MediaWiki 1.18.2. Five security
> issues were discovered.
> It was discovered that the api had a cross-site request forgery (CSRF)
> vulnerability in the block/unblock modules. It was possible for a user
> account with the block privileges to block or unblock another user without
> providing a token.
> For more details, see

Please use CVE-2012-1578 for this issue.

> It was discovered that the resource loader can leak certain kinds of
> data across domain origin boundaries, by providing the data as an
> JavaScript file. In MediaWiki 1.18 and later, this includes the
leaking of CSRF
> protection tokens. This allows compromise of the wiki's user accounts,
say by
> changing the user's email address and then requesting a password reset.
> For more details, see

Please use CVE-2012-1579 for this issue.

> Jan Schejbal of discovered a cross-site request forgery
> vulnerability in Special:Upload. Modern browsers (since at least as
early as
> December 2010) are able to post file uploads without user interaction,
> violating previous security assumptions within MediaWiki.
> Depending on the wiki's configuration, this vulnerability could lead
to further
> compromise, especially on private wikis where the set of allowed file
types is
> broader than on public wikis. Note that CSRF allows compromise of a
wiki from
> an external website even if the wiki is behind a firewall.
> For more details, see

Please use CVE-2012-1580 for this issue.

> George Argyros and Aggelos Kiayias reported that the method used to
> password reset tokens is not sufficiently secure. Instead we use
various more
> secure random number generators, depending on what is available on the
> platform. Windows users are strongly advised to install either the openssl
> extension or the mcrypt extension for PHP so that MediaWiki can take
> of the cryptographic random number facility provided by Windows.
> Any extension developers using mt_rand() to generate random numbers in
> where security is required are encouraged to instead make use of the
> MWCryptRand class introduced with this release.
> For more details, see

Please use CVE-2012-1581 for this issue.

> A long-standing bug in the wikitext parser (bug 22555) was discovered
to have
> security implications. In the presence of the popular CharInsert
extension, it
> leads to cross-site scripting (XSS). XSS may be possible with other
> or perhaps even the MediaWiki core alone, although this is not
confirmed at
> this time. A denial-of-service attack (infinite loop) is also possible
> regardless of configuration.
> For more details, see

Please use CVE-2012-1582 for this issue.

> Full release notes:
> LEASE-NOTES-1.18;hb=1.18.2
> Co-inciding with these security releases, the MediaWiki source code
> repository has
> moved from SVN (at
> to Git ( So
the relevant
> commits for these releases will not be appearing in our SVN
repository. If you use
> SVN checkouts of MediaWiki for version control, you need to migrate
these to Git.
> If you up are using tarballs, there should be no change in the process
for you.
> Please note that any WMF-deployed extensions have also been migrated
to Git
> also, along with some other non WMF-maintained ones.
> Please bear with us, some of the Git related links for this release
may not
> work instantly, but should later on.
> To do a simple Git clone, the command is:
> git clone
> More information is available at
> For more help, please visit the #mediawiki IRC channel on
> irc:// or email The MediaWiki-l mailing list
> at mediawiki-l at
> **********************************************************************
> Download:
> Patch to previous version (1.18.1), without interface text:
> Interface text changes:
> GPG signatures:
> sig
> Public keys:
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ