oss-sec mailing list archives
CVE request: MediaWiki chunked uploads vulnerability
From: Thijs Kinkhorst <thijs () debian org>
Date: Wed, 22 May 2013 11:30:30 +0200
Hi, Can a CVE name be assigned for the following MediaWiki issue please? Thanks, Thijs ---------- Doorgestuurd bericht ---------- Onderwerp: [MediaWiki-announce] MediaWiki Security Release: 1.20.6 and 1.19.7 Datum: dinsdag 21 mei 2013, 22:14:52 Van: Chris Steipp <csteipp () wikimedia org> Aan: mediawiki-announce () lists wikimedia org, "MediaWiki-l" <mediawiki- l () lists wikimedia org>, Wikimedia developers <wikitech-l () lists wikimedia org> I would like to announce the release of MediaWiki 1.20.6 and 1.19.7. These releases fix a security related issue that could affect users of MediaWiki. Download links are given at the end of this email. * MediaWiki user Marco discovered that security checks for file uploads were not being run when the file was uploaded in chunks through the API. This option has been available to users who can upload files since MediaWiki 1.19. <https://bugzilla.wikimedia.org/show_bug.cgi?id=48306> Full release notes for 1.20.6: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.7: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.20.6 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz Patch to previous version (1.20.5): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** 1.19.7 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz Patch to previous version (1.19.6): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce -------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request: MediaWiki chunked uploads vulnerability Thijs Kinkhorst (May 22)
- Re: CVE request: MediaWiki chunked uploads vulnerability Kurt Seifried (May 24)