it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: Gergő Tisza <gtisza AT gmail.com>
- To: mediawiki-announce AT lists.wikimedia.org
- Subject: [IT-SecNots] [MediaWiki-announce] OAuth security update
- Date: Tue, 25 Oct 2016 14:05:16 -0700
- Authentication-results: mail.intern.piratenpartei.de (MFA); dkim=pass (1024-bit key) header.d=lists.wikimedia.org header.b=OSaRcQiL; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com header.b=iOcfcRak
- List-archive: <https://lists.wikimedia.org/pipermail/mediawiki-announce/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
Hi all,
a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user even if the user was locked or blocked from login (this
could be problematic when OAuth is used for authentication, such as with
the OAuthAuthentication [2] extension).
The fix has been backported to all supported versions (those for MediaWiki
1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1] https://phabricator.wikimedia.org/T148600
[2] https://www.mediawiki.org/wiki/Extension:OAuthAuthentication
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- [IT-SecNots] [MediaWiki-announce] OAuth security update, Gergő Tisza, 26.10.2016
Archiv bereitgestellt durch MHonArc 2.6.19.