oss-sec mailing list archives
CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5
From: "Thijs Kinkhorst" <thijs () debian org>
Date: Tue, 16 Apr 2013 14:00:43 +0200
Hi all, Please assign CVE names for the issues below in Mediawiki. The announcement contains references to bug numbers which have all the details. Thanks, Thijs ---------------------------- Original Message ---------------------------- Subject: [MediaWiki-announce] MediaWiki Security Release: 1.20.4 and 1.19.5 From: "Chris Steipp" <csteipp () wikimedia org> Date: Mon, April 15, 2013 22:37 To: mediawiki-announce () lists wikimedia org "MediaWiki-l" <mediawiki-l () lists wikimedia org> "Wikimedia developers" <wikitech-l () lists wikimedia org> -------------------------------------------------------------------------- I would like to announce the release of MediaWiki 1.20.4 and 1.19.5. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * An internal review discovered that specially crafted Lua function names could lead to XSS. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46084> * Daniel Franke reported that during SVG parsing, MediaWiki failed to prevent XML external entity (XXE) processing. This could lead to local file disclosure, or potentially remote command execution in environments that have enabled expect:// handling. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46859> * Internal review also discovered that Special:Import, and Extension:RSS failed to prevent XML external entity (XXE) processing. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47251> Full release notes for 1.20.4: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.5: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.20.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz Patch to previous version (1.20.3): http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** 1.19.5 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz Patch to previous version (1.19.4): http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** Extension:RSS ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:RSS _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Current thread:
- CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5 Thijs Kinkhorst (Apr 16)
- Re: CVE Request: MediaWiki Security Releases 1.20.4 and 1.19.5 Kurt Seifried (Apr 16)