Mailing List Archive

Pre-Release Announcement for MediaWiki 1.18.6, 1.19.3, and 1.20.1
On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST)
Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. We are providing this
pre-announcement as a courtesy for administrators to be ready to
accept the fix for these on Thursday. We will send another
announcement email when the patches and tar files are ready for
download.

* Vulnerabilities were found in both MediaWiki core and the
CentralAuth extension. Successful exploitation could allow an attacker
to compromise another user's account. Risk is considered moderate
(CVSS Base Score: 4).
* One vulnerability was discovered that could allow an attacker to
prevent users from viewing Special:RecentChanges, and other pages,
which could prevent the detection of SPAM or vandalism. Public wikis
are encouraged to upgrade.
* A flaw in the MediaWiki 1.20 API could allow a stored XSS.
Exploitation requires user interaction or an existing XSS
vulnerability, so risk of exploitation is low.

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce