headers
Sam Reed | 11 Jan 22:50
Picon

MediaWiki security and maintenance release 1.18.1

I would like to announce the release of MediaWiki 1.18.1. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

1.18.1 is also the first maintenance release of the 1.18 series, bringing
numerous bug fixes
to MediaWiki for issues found in the 1.18.0 release.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_18_1/phase3/RELEASE-NOT
ES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz

Patch to previous version (1.18.0), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Sam Reed | 11 Jan 22:50
Picon

MediaWiki security release 1.17.2

I would like to announce the release of MediaWiki 1.17.2. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_17_2/phase3/RELEASE-NOT
ES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz

Patch to previous version (1.17.1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.2.patch.gz.
sig

Public keys:
https://secure.wikimedia.org/keys.html
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 22 Jun 06:56
Picon

MediaWiki 1.17.0 released


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are proud to announce the first stable release of the 1.17 series.

Selected changes since MediaWiki 1.16 that may be of interest:

* A new installer has been introduced. It has a wizard-style interface
  which is translated into many languages. Many shortcomings in the old
  installer were addressed with this rewrite. Note that it is no longer
  required for the config directory to be made writable by the webserver.
  Instead the generated LocalSettings.php file is offered as a download,
  which you must then upload to the wiki's base directory.

* ResourceLoader, a new framework for delivering client-side resources
  such as JavaScript and CSS, has been introduced. These resources are
  now delivered through the new entry point script "load.php", instead of
  as static files served directly by the web server. This allows
  minification, compression and client-side caching to be used more
  effectively, which should provide a net performance improvement for
  most users.

* Category sorting has been improved.
   * Sorting is now case insensitive.
   * Sub-categories, pages and files can now be paged separately.
   * When several pages are given the same sort key, they sort by their
     names instead of randomly.

* The lowest supported version of PHP is now 5.2.3. If necessary, please
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 14 Jun 04:54
Picon

MediaWiki release candidate 1.17.0rc1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A release candidate for the MediaWiki 1.17 branch is now available.
Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.17.0.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports. Many bugs have been
fixed, especially in the new installer.

Full release notes:
http://www.mediawiki.org/wiki/Release_notes/1.17

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz

Patch to previous version (1.17.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.0rc1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.0rc1.patch.gz.sig

Public keys:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 5 May 14:39
Picon

MediaWiki 1.17 beta 1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.

Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.

MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

PHP 5.2.3
- ---------

We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check your PHP installation and contact
your host if it runs an outdated PHP version.

New installer
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 5 May 07:52
Picon

MediaWiki security release 1.16.5


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.5. Two security
issues were discovered.

The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used on private
wikis to prevent users who have an account from logging in and viewing
content on the wiki.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28639

**********************************************************************
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 14 Apr 09:47
Picon

MediaWiki security release 1.16.4

Our patch for the Internet Explorer 6 XSS issue (bug 28235) released
two days ago in 1.16.3 was insufficient to fix that bug. The original
reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we
are doing another release, which contains a second attempt at fixing
the issue.

Apologies to everyone for the inconvenience. Big thanks go to Masato
Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan
Kattouw who helped me test the patch this time around, so that we can
hopefully avoid a repeat.

It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for
Internet Explorer clients, version 6 and earlier. Also, if you used
the Apache configuration I suggested in the previous release
announcement, you should update it to:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
    RewriteRule . - [forbidden]

We missed the fact that there can be more than one question mark in a
URL. In certain circumstances, IE 6 will use a file extension
immediately before a question mark character, regardless of how many
question marks precede it. For example, with the URL:

http://example.com/a?b?c.html?d?e

IE 6 will see the file extension as ".html".

**********************************************************************
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 12 Apr 05:23
Picon

MediaWiki security release 1.16.3


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.3, which is a
security release. Three security issues were discovered.

Masato Kinugawa discovered a cross-site scripting (XSS) issue, which
affects Internet Explorer clients only, and only version 6 and
earlier. Web server configuration changes are required to fix this
issue. Upgrading MediaWiki will only be sufficient for people who use
Apache with AllowOverride enabled.

Due to the diversity of uploaded files that we allow, MediaWiki does
not guarantee that uploaded files will be safe if they are interpreted
by the client as some arbitrary file type, such as HTML. We rely on
the web server to send the correct Content-Type header, and we rely on
the web browser to respect it. This XSS issue arises due to IE 6
looking for a file extension in the query string of the URL (i.e.
after the "?"), if no extension is found in path part of the URL.
Masato Kinugawa discovered that the file extension in the path part
can be hidden from IE 6 by substituting the "." with "%2E".

To fix this issue, configure your web server to deny requests with
URLs that have a path part ending in a dot followed by a dangerous
file extension. For example, in Apache with mod_rewrite:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
    RewriteRule . - [forbidden]
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 2 Feb 00:16
Picon

MediaWiki security release 1.16.2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.2, which is a
security release. Two security issues were discovered.

An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected. For more details, see bug 27094:

https://bugzilla.wikimedia.org/show_bug.cgi?id=27094

Security researcher mghack discovered a CSS injection vulnerability.
For Internet Explorer and similar browsers, this is equivalent to an
XSS vulnerability, that is to say, it allows the compromise of wiki
user accounts. For other browsers, it allows private data such as IP
addresses and browsing patterns to be sent to a malicious external web
server. It affects all versions of MediaWiki. All users are advised to
upgrade. For more information, see bug 27093:

https://bugzilla.wikimedia.org/show_bug.cgi?id=27093

This vulnerability was originally reported to the Mozilla Security
Group and has been assigned CVE-2011-0047.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 13 Jan 05:01
Picon

MediaWiki and PHP 5.3.5/5.2.17

If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.

CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.

PHP release announcement:
http://www.php.net/archive/2011.php#id2011-01-06-1

Updated Ubuntu packages:
http://www.ubuntu.com/usn/usn-1042-1

-- Tim Starling
Permalink | Reply | 0 comments |
headers
Tim Starling | 4 Jan 07:55
Picon

MediaWiki security release 1.16.1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.1, which is a
security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no
protection against "clickjacking". With user or site JavaScript or CSS
enabled, clickjacking can lead to cross-site scripting (XSS), and thus
full compromise of the wiki account of any user who visits a malicious
external site. Clickjacking affects all previous versions of MediaWiki.

Our fix involves denying framing on all pages except normal page views
and a few selected special pages. To be protected, all users need to
use a browser which supports X-Frame-Options. For information about
supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

For more information about this vulnerability and the related patch, see:

<https://bugzilla.wikimedia.org/show_bug.cgi?id=26561>

Other changes in MediaWiki 1.16.1:

* (bug 24981) Allow extensions to access SpecialUpload variables again
* (bug 24724) list=allusers was out by 1 (shows total users - 1)
* (bug 24166) Fixed API error when using rvprop=tags
* For wikis using French as a content language, Special:Téléchargement
(Continue reading)

Permalink | Reply | 0 comments |

Gmane