Mailing List Archive

MediaWiki security release: 1.20.1, 1.19.3 and 1.18.6
I would like to announce the release of MediaWiki 1.20.1, 1.19.3 and
1.18.6. These releases fix 3 security related bugs that could affect
users of MediaWiki. Download links are given at the end of this email
. Please note that support for the MediaWiki 1.18 branch ends this
month.

* During an internal review, it was discovered that MediaWiki core is
vulnerable to session fixation attacks. Successful exploitation could
allow an attacker to compromise another user's account. This issues
has been assigned CVE-2012-5391. A similar vulnerability was also
identified in the CentralAuth Extension, and assigned CVE-2012-5395.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40995>
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40962>

* Wikipedia user PleaseStand discovered that a new API feature in
MediaWiki 1.20 allowed for HTML code to be injected into the
"editfont" option. Since this option only affects the current user,
exploitation for XSS is difficult. However, users of MediaWiki 1.20
are encouraged to upgrade.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=42202>

* Wikipedia user PleaseStand discovered that a PCRE backtrack limit
could easily be exceeded, causing recent changes and history pages to
fail to display. Since these pages are often used for fighting spam
and vandalism, public wikis are encouraged to update.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=41400>


Full release notes for 1.20.1:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.3:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

Full release notes for 1.18.6:
<https://www.mediawiki.org/wiki/Release_notes/1.18>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
1.20.1
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.tar.gz

Patch to previous version (1.20.0), without interface text:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
1.19.3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.tar.gz

Patch to previous version (1.19.2), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
1.18.6
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.tar.gz

Patch to previous version (1.18.5):
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.6.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
http://www.mediawiki.org/wiki/Extension:CentralAuth

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce