MediaWiki Security Releases 1.20.4 and 1.19.5 XSS & XXE

2013.04.16

Credit: Thijs Kinkhorst

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>


Full release notes for 1.20.4:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz

Patch to previous version (1.20.3):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


**********************************************************************
   1.19.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

Patch to previous version (1.19.4):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   Extension:RSS
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:RSS

References:

https://www.mediawiki.org/wiki/Extension:RSS

http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

http://seclists.org/oss-sec/2013/q2/25

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MediaWiki Security Releases 1.20.4 and 1.19.5 XSS & XXE

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.