Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 24 May 2013 01:29:49 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Thijs Kinkhorst <thijs@...ian.org>
Subject: Re: CVE request: MediaWiki chunked uploads vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2013 03:30 AM, Thijs Kinkhorst wrote:
> Hi,
> 
> Can a CVE name be assigned for the following MediaWiki issue
> please?

Nope, see below. email me if you want to become the official mediawiki
requester.

> 
> Thanks, Thijs
> 
> ----------  Doorgestuurd bericht  ----------
> 
> Onderwerp: [MediaWiki-announce] MediaWiki Security Release: 1.20.6
> and 1.19.7 Datum: dinsdag 21 mei 2013, 22:14:52 Van: Chris Steipp
> <csteipp@...imedia.org> Aan:
> mediawiki-announce@...ts.wikimedia.org, "MediaWiki-l" <mediawiki- 
> l@...ts.wikimedia.org>, Wikimedia developers
> <wikitech-l@...ts.wikimedia.org>
> 
> I would like to announce the release of MediaWiki 1.20.6 and
> 1.19.7. These releases fix a security related issue that could
> affect users of MediaWiki. Download links are given at the end of
> this email.
> 
> * MediaWiki user Marco discovered that security checks for file 
> uploads were not being run when the file was uploaded in chunks 
> through the API. This option has been available to users who can 
> upload files since MediaWiki 1.19. 
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=48306>
> 
> Full release notes for 1.20.6: 
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
> 
> Full release notes for 1.19.7: 
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
> 
> For information about how to upgrade, see 
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
> 
> 
> **********************************************************************
>
> 
1.20.6
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz
>
>  Patch to previous version (1.20.5): 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz.sig
> 
> Public keys: https://secure.wikimedia.org/keys.html
> 
> 
> **********************************************************************
>
> 
1.19.7
> **********************************************************************
>
> 
Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz
>
>  Patch to previous version (1.19.6): 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz
>
>  GPG signatures: 
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz.sig
>
> 
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz.sig
> 
> Public keys: https://secure.wikimedia.org/keys.html

Please use CVE-2013-2114 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRnxbtAAoJEBYNRVNeJnmT4lUQANETyonIDnJ7oD/DuGWsWhUU
K8VGbItSuTl0KI2rMCN3g5+EgM1K8ZZknpVI56ErWRqD4UPOm3EYwKjstMOVxjAw
w2MzjHkd2G9SDTSls3xhe+Jp8RAe0BOeYyxZpaVyvusfoisznqrVFBVacqjj1AcP
/2lS+vgRLxRWwBUkegBVbCBsJsWnefAKcugzh02GkgD98nnbNrfCESzZDQjP0LFE
v65RpIv2a4Pkj9tosEIBc3Q5aMJgxqSBtFohLG+gk0ibGf2CA84fE6S0As+TEW9m
QLUDq/zL09Bl7wbKQnOoWjIcvNRzXzQgzwXXg26VD8WJAXsHdnLC8wBggxVrqmfS
dbGFJaFn5Hv5gYdct2GVcnzQd03pnNSbHkGyZYsYgkDZqJ8F22TNy5oSKp9B9f9N
9iH+x8t860r7pvUJ6VDfz30Olx4LieXmNAvOz3pvR7gEPutWvAjOHa7Pqb6kwBAY
hR3aMa3vw2eRoUJLZPPn9bXv2hitNhLS8e/ioD0fObRDHKxLO54Ct6aVjVB/buPo
LowwCqKc2mYVeM1r8mulHoMvO3v+FbUr3BGCraFGETrScP53qedH0LH7O6mdOnhQ
/TbsnCH+Dium8p7DBug68u2crgH8wsO7LxO664oApMyJKaU1JYoFFEgxKGZH8k3m
YwVIiJ90AXVyQtKP65se
=hF8t
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.