it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23
Chronologisch Thread
- From: Markus Glaser <glaser AT hallowelt.biz>
- To: "mediawiki-announce AT lists.wikimedia.org" <mediawiki-announce AT lists.wikimedia.org>, Wikimedia developers <wikitech-l AT lists.wikimedia.org>, "'mediawiki-l AT lists.wikimedia.org'" <mediawiki-l AT lists.wikimedia.org>, "MediaWiki for enterprises (mediawiki-enterprise AT lists.wikimedia.org)" <mediawiki-enterprise AT lists.wikimedia.org>
- Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23
- Date: Wed, 17 Dec 2014 21:23:39 +0000
- Accept-language: de-DE, en-US
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
Hello everyone,
I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and
1.19.23. This is a regular security and maintenance release. Download links
are given at the end of this email. Please note this release marks the end of
lifetime for MediaWiki 1.22 branch.
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is required
to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
$wgCrossSiteAJAXdomains in API calls if it only included an allowed domain
as
part of its name.
== Bugfixes ==
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fixed a couple of entries in RELEASE-NOTES-1.24.
* (bug T76168) OutputPage: Add accessors for some protected properties.
* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
* Add missing $ in front of variable in OutputPage.php
== Security fixes in extensions ==
* (bug T77624) [SECURITY] Extension:Listings: missing validation in the
'name' and 'url' parameters.
* (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
as wikitext and shows a preview, yet it fails to add an edit token to
the form and check it. This can be exploited as an XSS when
$wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
* (bug T76195) [SECURITY] Extension:TemplateSandbox:
Special:TemplateSandbox needs edit token when raw HTML is allowed
* (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
* (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin
leakage of data from a wiki through timing
* (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3
library for CVE-2014-2053.
Full release notes for 1.24.1:
<https://www.mediawiki.org/wiki/Release_notes/1.24>
Full release notes for 1.23.8:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
Full release notes for 1.22.15:
<https://www.mediawiki.org/wiki/Release_notes/1.22>
Full release notes for 1.19.23:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
Public keys:
<https://www.mediawiki.org/keys/keys.html>
**********************************************************************
1.24.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz
Patch to previous version (1.24.0):
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz.sig
**********************************************************************
1.23.8
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz
Patch to previous version (1.23.7):
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz.sig
**********************************************************************
1.22.15
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz
Patch to previous version (1.22.14):
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz.sig
**********************************************************************
1.19.23
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz
Patch to previous version (1.19.22):
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.23.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz.sig
Markus Glaser
(Wiki Release Team)
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- [IT-SecNots] [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23, Markus Glaser, 17.12.2014
Archiv bereitgestellt durch MHonArc 2.6.19.