Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <516DA1B7.7030807@redhat.com>
Date: Tue, 16 Apr 2013 13:08:39 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Thijs Kinkhorst <thijs@...ian.org>, "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE Request: MediaWiki Security Releases 1.20.4
 and 1.19.5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 06:00 AM, Thijs Kinkhorst wrote:
> Hi all,
> 
> Please assign CVE names for the issues below in Mediawiki. The
> announcement contains references to bug numbers which have all the 
> details.

Unfortunately they were on a tight schedule and I was also busy on
other things so it didn't get done in time for the public announcement.

> 
> 
> Thanks, Thijs
> 
> ---------------------------- Original Message
> ---------------------------- Subject: [MediaWiki-announce]
> MediaWiki Security Release: 1.20.4 and 1.19.5 From:    "Chris
> Steipp" <csteipp@...imedia.org> Date:    Mon, April 15, 2013 22:37 
> To:      mediawiki-announce@...ts.wikimedia.org "MediaWiki-l"
> <mediawiki-l@...ts.wikimedia.org> "Wikimedia developers"
> <wikitech-l@...ts.wikimedia.org> 
> --------------------------------------------------------------------------
>
>  I would like to announce the release of MediaWiki 1.20.4 and
> 1.19.5. These releases fix 3 security related bugs that could
> affect users of MediaWiki. Download links are given at the end of
> this email.
> 
> * An internal review discovered that specially crafted Lua
> function names could lead to XSS. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

This was assigned CVE-2013-1951

> * Daniel Franke reported that during SVG parsing, MediaWiki failed
> to prevent XML external entity (XXE) processing. This could lead to
> local file disclosure, or potentially remote command execution in 
> environments that have enabled expect:// handling. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>
> 
> * Internal review also discovered that Special:Import, and 
> Extension:RSS failed to prevent XML external entity (XXE)
> processing. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>

As per this:

http://seclists.org/oss-sec/2013/q2/5

no CVE's were assigned for the XXE stuff, upstream agrees. Steven can
you confirm this is the correct action to take?

> Full release notes for 1.20.4: 
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
> 
> Full release notes for 1.19.5: 
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
> 
> For information about how to upgrade, see 
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
> 
> 
> **********************************************************************
>
> 
1.20.4
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz
>
>  Patch to previous version (1.20.3): 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig
> 
> Public keys: https://secure.wikimedia.org/keys.html
> 
> 
> **********************************************************************
>
> 
1.19.5
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz
>
>  Patch to previous version (1.19.4): 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig
> 
> Public keys: https://secure.wikimedia.org/keys.html
> 
> **********************************************************************
>
> 
Extension:RSS
> **********************************************************************
>
> 
Information and Download:
> https://www.mediawiki.org/wiki/Extension:RSS
> 
> _______________________________________________ MediaWiki
> announcements mailing list To unsubscribe, go to: 
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbaG3AAoJEBYNRVNeJnmTp0oQANKV7zFSJHnSa3QYgrujHd4v
MPkq1eTnXGYb86yW48nOqgNyd/n02WFTWgYLYfh+fOXWC2mM+lNfEyl0lrtp6fAK
S/o6yxfQJcVYGVO3R7eemTAqBRSEdchK6yH/Fm7xqJOatyzqzh1XZbEHtzv1wCKw
dDlkc3kIVZRViOxERTTbZ+HTjzivirRsGgnJ1O2ZTrZeX4rpXd4zBi7iEv2uOSQH
YJiWAOYftMow53LXZltXhlCe0d1QMgIjljYfKj3jwjiEbTUI1fD2Zy/gT56QhmrJ
8Khlk70I3zsdZCHVyO67/T0Z6sWla7OAhOnAqOWlcAQoKlgStFwozX1mHQ2fJ+lJ
zvpXD5dJ2efUFsJPqa3njDmUQsoFLU6HLdJqPvQC5E8ObVd5sU0L1yaD6tv2CL5S
SAdeIoXEXhZs7wZrBDfFx1zTmpyhnKUkjebL+pQPgRZhqhAGftoxmzcCMnA1G8n2
xMI9QEHSZtCq8lHB272lJAszWhS/kuc7x/zktBIrutC1EV6hrNE7HUEIUYHF7H7F
M8B2pnQdAW06n7TmL1dlF0637yL0cf3VQiSRGsHXnhhvsXFhNT1+xdjWYkHZROPx
E9olmi8lKpYctMyAkuoF727bOicNEWX5ZBfmjYBnbGkL65ZxwTneuAqdxe4wz4VH
tp1ruVkgJaFGA6EXOxoG
=IjH9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.