Hi. As you can read below, mediawiki has just released a security release.
We are currently not hit by the issues noted in the mail. However I would like to ask the community if we should upgrade or wait for a later release ? if we upgrade, we have to test all extensions again. rgds Jan I. ---------- Forwarded message ---------- From: Chris Steipp <cste...@wikimedia.org> Date: 4 March 2013 20:19 Subject: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4 To: mediawiki-annou...@lists.wikimedia.org, Wikimedia developers < wikitec...@lists.wikimedia.org> I would like to announce the release of MediaWiki 1.20.3 and 1.19.4. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST when establishing an SSL connection, instead of '2'. <https://bugzilla.wikimedia.org/show_bug.cgi?id=44135> <https://bugzilla.wikimedia.org/show_bug.cgi?id=42441> * MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. <https://bugzilla.wikimedia.org/show_bug.cgi?id=43518> * MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. <https://bugzilla.wikimedia.org/show_bug.cgi?id=45355> Full release notes for 1.20.3: <https://www.mediawiki.org/wiki/Release_notes/1.20> Full release notes for 1.19.4: <https://www.mediawiki.org/wiki/Release_notes/1.19> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.20.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz Patch to previous version (1.20.2), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** 1.19.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz Patch to previous version (1.19.3), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
