it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] Security fixes for CentralAuth and MobileFrontend extensions
Chronologisch Thread
- From: Chris Steipp <csteipp AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, MediaWiki-l <mediawiki-l AT lists.wikimedia.org>, Wikimedia developers <wikitech-l AT lists.wikimedia.org>
- Subject: [IT-SecNots] [MediaWiki-announce] Security fixes for CentralAuth and MobileFrontend extensions
- Date: Wed, 8 Oct 2014 14:18:00 -0700
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A number of security issues in MediaWiki extensions have been fixed.
Users of these extensions should update to the latest version.
* CentralAuth: Internal review found multiple issues that have been resolved:
** (bug 70469) Special:MergeAccount failed to validate the anti-csrf
token in its forms when performing actions.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70469>
** (bug 70468) The internal function to attach multiple local wiki
accounts into a single, global account did not re-check that the
requesting user owned the "home wiki" for that username, but assumed
that user did own this account. This could allow a user to add their
local account edits to a global account that they didn't own.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70468>
** (bug 71749) Incomplete fix for bug 70468. The fix wasn't applied to
the new feature where accounts were globalized automatically on login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=71749>
** (bug 70620) When globally renaming a user, the antispoof table,
which prevents similar looking names from being created, weren't
updated. This potentially allowed another user to register an account
with a name that looked identical to the username of a user who had
been globally renamed.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70620>
* MobileFrontend: (bug 70009) Sherif Mansour discovered that POST
parameters were being added to links generated by MobileFrontend,
which could reveal the user's password after login.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=70009>
**********************************************************************
Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth
**********************************************************************
Extension:MobileFrontend
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:MobileFrontend
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlQ1lJoACgkQ7h9mNGLYTwGdgAD/X7q6WfaBoE2SdKjZeoLE9yvs
wg07Fs4kytmmSQDXa4IBAKBgaYuhuRt5j+G5Q9YNdfCCkvlSqnz7heCIX1Ddn5ma
=cOb1
-----END PGP SIGNATURE-----
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- [IT-SecNots] [MediaWiki-announce] Security fixes for CentralAuth and MobileFrontend extensions, Chris Steipp, 08.10.2014
Archiv bereitgestellt durch MHonArc 2.6.19.