Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [MediaWiki-announce] MediaWiki security update: 1.15.2

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [MediaWiki-announce] MediaWiki security update: 1.15.2


Chronologisch Thread 
  • From: Tim Starling <tstarling AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
  • Subject: [IT-SecurityNotifies] [MediaWiki-announce] MediaWiki security update: 1.15.2
  • Date: Mon, 08 Mar 2010 15:49:28 -0800
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Openpgp: id=BF976370

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.2.

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.

MediaWiki is not compatible with PHP 5.3.1 due to a bug in that
release, which is fixed in PHP 5.3.2. This release of MediaWiki will
refuse to upgrade if an affected version of PHP is present. Note that
local or distribution-specific backports of the PHP bug fix are
supported. See http://bugs.php.net/50394 for details.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.tar.gz

Patch to previous version (1.15.1), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.2.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuVjQcACgkQgkA+Wfn4zXkYqACfRXMeQdbHT2ep+xEbkgPpz+BA
5pgAoMhuJQ6UJrW8Wdh/Ji9VA/h8MRH0
=CDe6
-----END PGP SIGNATURE-----


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce



  • [IT-SecurityNotifies] [MediaWiki-announce] MediaWiki security update: 1.15.2, Tim Starling, 09.03.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang