[Tech] wiki.partimus.org at 1.20.4

Grant Bowman grantbow at partimus.org
Wed Apr 17 14:53:55 PDT 2013


FYI, I tested this patch using the command "patch -p1 --dry-run <
mediawiki-1.20.4.patch" then applied it without the --dry-run.

Many thanks to Quim Gil, Daniel Zahn and Rob Lanphier for coming to
balug.org last night to talk about the Wikimedia Foundation and their
work on MediaWiki.

Cheers,

Grant Bowman


---------- Forwarded message ----------
From: Chris Steipp <csteipp at wikimedia.org>
Date: Mon, Apr 15, 2013 at 1:37 PM
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.20.4 and 1.19.5
To: mediawiki-announce at lists.wikimedia.org, MediaWiki-l
<mediawiki-l at lists.wikimedia.org>, Wikimedia developers
<wikitech-l at lists.wikimedia.org>


I would like to announce the release of MediaWiki 1.20.4 and 1.19.5.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* An internal review discovered that specially crafted Lua function
names could lead to XSS.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46084>

* Daniel Franke reported that during SVG parsing, MediaWiki failed to
prevent XML external entity (XXE) processing. This could lead to local
file disclosure, or potentially remote command execution in
environments that have enabled expect:// handling.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46859>

* Internal review also discovered that Special:Import, and
Extension:RSS failed to prevent XML external entity (XXE) processing.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=47251>


Full release notes for 1.20.4:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.5:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.20.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz

Patch to previous version (1.20.3):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


**********************************************************************
   1.19.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz

Patch to previous version (1.19.4):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   Extension:RSS
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:RSS

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce



More information about the Tech mailing list