Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 May 2013 11:30:30 +0200
From: Thijs Kinkhorst <thijs@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: MediaWiki chunked uploads vulnerability

Hi,

Can a CVE name be assigned for the following MediaWiki issue please?


Thanks,
Thijs

----------  Doorgestuurd bericht  ----------

Onderwerp: [MediaWiki-announce] MediaWiki Security Release: 1.20.6 and 1.19.7
Datum: dinsdag 21 mei 2013, 22:14:52
Van: Chris Steipp <csteipp@...imedia.org>
Aan: mediawiki-announce@...ts.wikimedia.org, "MediaWiki-l" <mediawiki-
l@...ts.wikimedia.org>, Wikimedia developers <wikitech-l@...ts.wikimedia.org>

I would like to announce the release of MediaWiki 1.20.6 and 1.19.7.
These releases fix a security related issue that could affect users of
MediaWiki. Download links are given at the end of this email.

* MediaWiki user Marco discovered that security checks for file
uploads were not being run when the file was uploaded in chunks
through the API. This option has been available to users who can
upload files since MediaWiki 1.19.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=48306>

Full release notes for 1.20.6:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.7:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.6
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz

Patch to previous version (1.20.5):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


**********************************************************************
   1.19.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz

Patch to previous version (1.19.6):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

-------------------------------------------------------

Download attachment "signature.asc " of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.