Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Apr 2013 14:00:43 +0200
From: "Thijs Kinkhorst" <thijs@...ian.org>
To: "Open Source Security" <oss-security@...ts.openwall.com>
Subject: CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5

Hi all,

Please assign CVE names for the issues below in Mediawiki.
The announcement contains references to bug numbers which have all the
details.


Thanks,
Thijs

---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.20.4 and 1.19.5
From:    "Chris Steipp" <csteipp@...imedia.org>
Date:    Mon, April 15, 2013 22:37
To:      mediawiki-announce@...ts.wikimedia.org
         "MediaWiki-l" <mediawiki-l@...ts.wikimedia.org>
         "Wikimedia developers" <wikitech-l@...ts.wikimedia.org>
--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>


Full release notes for 1.20.4:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz

Patch to previous version (1.20.3):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


**********************************************************************
   1.19.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

Patch to previous version (1.19.4):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   Extension:RSS
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:RSS

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.