[IT-SecNots] [MediaWiki-announce] MediaWiki Security Release: 1.21.3, 1.20.8 and 1.19.9

[Chris Steipp <csteipp AT wikimedia.org>]

I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and
1.19.9. These releases fix 2 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.

* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>

* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>


Additionally, the following extensions have been updated to fix security
issues:

* CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's
are not correctly hidden when this extension is used (CVE-2013-4569).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54294>

* ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability
(CVE-2013-4573).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55991>

* CentralAuth: MediaWiki developer Platonides reported a login CSRF in
CentralAuth (CVE-2012-5394).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40747>


Full release notes for 1.21.3:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.20.8:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.9:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.21.3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.tar.gz

Patch to previous version (1.21.2), without interface text:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.3.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html


**********************************************************************
   1.20.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.tar.gz

Patch to previous version (1.20.7), without interface text:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.8.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.8.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html


**********************************************************************
   1.19.9
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.tar.gz

Patch to previous version (1.19.8), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.9.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.9.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:CentralNotice
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralNotice

**********************************************************************
   Extension:CleanChanges
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CleanChanges

**********************************************************************
   Extension:ZeroRatedMobileAccess
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:ZeroRatedMobileAccess
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce