oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5

From: "Thijs Kinkhorst" <thijs () debian org>
Date: Tue, 16 Apr 2013 14:00:43 +0200
Hi all,

Please assign CVE names for the issues below in Mediawiki.
The announcement contains references to bug numbers which have all the
details.


Thanks,
Thijs

---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.20.4 and 1.19.5
From:    "Chris Steipp" <csteipp () wikimedia org>
Date:    Mon, April 15, 2013 22:37
To:      mediawiki-announce () lists wikimedia org
         "MediaWiki-l" <mediawiki-l () lists wikimedia org>
         "Wikimedia developers" <wikitech-l () lists wikimedia org>
--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>


Full release notes for 1.20.4:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz

Patch to previous version (1.20.3):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


**********************************************************************
   1.19.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

Patch to previous version (1.19.4):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   Extension:RSS
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:RSS

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Previous By Date Next
Previous By Thread Next

Current thread: