CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8

["Thijs Kinkhorst" <thijs () debian org>]

Hi,

Mediawiki has announced the following security releases. The message
contains a link to the patches for various release branches.

Can CVE names be assigned please?


thanks,
Thijs

---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
and 1.19.8
From:    "Chris Steipp" <csteipp () wikimedia org>
Date:    Tue, September 3, 2013 22:50
To:      mediawiki-announce () lists wikimedia org
         "MediaWiki-l" <mediawiki-l () lists wikimedia org>
         "Wikimedia developers" <wikitech-l () lists wikimedia org>
--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.

* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an invalid language is specified in ResourceLoader
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>

* An internal review found several API modules allowed anti-CSRF tokens to
be accessed via JSONP.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>

* Andreas Peetz reported an issue with the MediaWiki API where an invalid
property name could be used for XSS with older versions of Internet
Explorer.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>


Additionally, the following extensions have been updated to fix security
issues:

* CentralAuth: An internal review found an authentication regression that
allowed an attacker to bypass authentication
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>

* SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
example.php script
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>

* CheckUser: Alex Monk reported and fixed that CheckUser didn't require
anti-CSRF tokens for checking users
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>

* Wikibase: Liangent reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>

* LiquidThreads: Alex Monk reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>



Full release notes for 1.21.2:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.20.7:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.8:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz

Patch to previous version (1.21.1):
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz

Patch to previous version (1.20.6):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz

Patch to previous version (1.19.7):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi

**********************************************************************
   Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser

**********************************************************************
   Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase

**********************************************************************
   Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce