MediaWiki 1.20.5 and 1.19.6 Multiple Vulns

2013.05.01

Credit: Hanno Bock

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-2031 | CVE-2013-2032

CWE: N/A

I would like to announce the release of MediaWiki 1.20.5 and 1.19.6.
These releases fix 2 security related issues that could affect users
of MediaWiki. Download links are given at the end of this email.
* Jan Schejbal / Hatforce.com reported that SVG script filtering could
be bypassed for Chrome and Firefox clients by using an encoding that
MediaWiki understood, but these browsers interpreted as UTF-8.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47304>
* Internal review discovered that extensions were not given the
opportunity to disable a password reset, which could lead to
circumvention of two-factor authentication.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46590>
Full release notes for 1.20.5:
<https://www.mediawiki.org/wiki/Release_notes/1.20>
Full release notes for 1.19.6:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
1.20.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.tar.gz
Patch to previous version (1.20.4), without interface text:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.5.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.5.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.5.patch.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
**********************************************************************
1.19.6
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz
Patch to previous version (1.19.5), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.6.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.6.patch.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html

References:

https://secure.wikimedia.org/keys.html

http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.6.tar.gz

https://bugzilla.wikimedia.org/show_bug.cgi?id=46590

http://seclists.org/oss-sec/2013/q2/247

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MediaWiki 1.20.5 and 1.19.6 Multiple Vulns

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.