MediaWiki 1.20.5 and 1.19.6 Multiple Vulns

2013.05.01
Credit: Hanno Bock
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

I would like to announce the release of MediaWiki 1.20.5 and 1.19.6. These releases fix 2 security related issues that could affect users of MediaWiki. Download links are given at the end of this email. * Jan Schejbal / Hatforce.com reported that SVG script filtering could be bypassed for Chrome and Firefox clients by using an encoding that MediaWiki understood, but these browsers interpreted as UTF-8. <https://bugzilla.wikimedia.org/show_bug.cgi?id=47304> * Internal review discovered that extensions were not given the opportunity to disable a password reset, which could lead to circumvention of two-factor authentication. <https://bugzilla.wikimedia.org/show_bug.cgi?id=46590> Full release notes for 1.20.5: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.6: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.20.5 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.tar.gz Patch to previous version (1.20.4), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.5.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.5.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** 1.19.6 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz Patch to previous version (1.19.5), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.6.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.6.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html

References:

https://secure.wikimedia.org/keys.html
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz
https://bugzilla.wikimedia.org/show_bug.cgi?id=46590
http://seclists.org/oss-sec/2013/q2/247


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top