FW: [MediaWiki-announce] MediaWiki security update: 1.15.3 and 1.16.0beta2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ugh - more CSRF breakage.

--
Matt Domsch
Technology Strategist
Dell | Office of the CTO
________________________________________
From: mediawiki-announce-bounces@xxxxxxxxxxxxxxxxxxx [mediawiki-announce-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Tim Starling [tstarling@xxxxxxxxxxxxx]
Sent: Tuesday, April 06, 2010 8:03 PM
To: mediawiki-l@xxxxxxxxxxxxxxxxxxx; wikitech-l@xxxxxxxxxxxxxxxxxxx; mediawiki-announce@xxxxxxxxxxxxxxxxxxx
Subject: [MediaWiki-announce] MediaWiki security update: 1.15.3 and     1.16.0beta2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.

MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.

Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.

Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.

For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076

**********************************************************************
  1.15.3
**********************************************************************

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz

Patch to previous version (1.15.2), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
  1.16.0beta2
**********************************************************************
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz

Patch to previous version (1.16.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta2.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAku72c0ACgkQgkA+Wfn4zXmmywCgg93Qn9fFiBZmMjfFfRXtQAAY
/2kAn3mnedysUErnHt59Va2rGHuSJUzf
=Ytqc
-----END PGP SIGNATURE-----


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux