Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15


Chronologisch Thread 
  • From: Chad Horohoe <chorohoe AT wikimedia.org>
  • To: "mediawiki-announce AT lists.wikimedia.org" <mediawiki-announce AT lists.wikimedia.org>
  • Subject: [IT-SecNots] [MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15
  • Date: Tue, 23 Aug 2016 01:15:11 +0000
  • Authentication-results: mail.intern.piratenpartei.de (MFA); dkim=pass (1024-bit key) header.d=lists.wikimedia.org header.b=gaWB0sGQ; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=wikimedia.org header.b=RPhao/S2
  • List-archive: <https://lists.wikimedia.org/pipermail/mediawiki-announce/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

I would like to announce the release of MediaWiki 1.27.1, 1.26.4, 1.23.15!

These releases fix five security issues in core and one for the extension
PdfHandler. Download links are given at the end of this email.

== Security fixes ==

* (T139565) API: Generate head items in the context of the given title
(CVE-2016-6335)
* (T137264) XSS in unclosed internal links (CVE-2016-6334)
* (T133147) Escape '<' and ']]>' in inline <style> blocks (CVE-2016-6333)
* (T133147) Require login to preview user CSS pages (CVE-2016-6333)
* (T132926) Do not allow undeleting a revision deleted file if it is the
top file (CVE-2016-6336)
* (T129738) Make $wgBlockDisablesLogin also restrict logged in permissions
(CVE-2016-6332)
* (T129738) Make blocks log users out if $wgBlockDisablesLogin is true
(CVE-2016-6332)
* (T115333) Check read permission when loading page content in ApiParse
(CVE-2016-6331)
* (T57548) Remove support for $wgWellFormedXml = false, all output is now
well formed

The following only affects 1.27 and above and is not included in the 1.26
and 1.23 upgrade:
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights() (CVE-2016-6337)

The following fix is for the PdfHandler extension:
* (T136402) Add -dSAFER to ghostscript as hardening measure

== Release notes ==

Full release notes for 1.27.1:
<https://www.mediawiki.org/wiki/Release_notes/1.27>

Full release notes for 1.26.4:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.23.15:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
1.27.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.1.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.1.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
1.26.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.4.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.4.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
1.23.15
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.15.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.15.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H.
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce


  • [IT-SecNots] [MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15, Chad Horohoe, 23.08.2016

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang