===================================================================== CERT-Renater Note d'Information No. 2006/VULN129 _____________________________________________________________________ DATE : 03/04/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running MediaWiki versions prior to 1.5.8 and 1.4.15. ====================================================================== MediaWiki 1.5.8 and 1.4.15 are security and bugfix maintenance releases. A bug in decoding of certain encoded links could allow injection of raw HTML into page output; this could potentially lead to XSS attacks. Some minor UI fixes were also made, see the change log at the bottom of the release notes. Release notes: 1.5.8: http://sourceforge.net/project/shownotes.php?release_id=404871 1.4.15: http://sourceforge.net/project/shownotes.php?release_id=404869 Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5.8.tar.gz http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.15.tar.gz MD5 checksums: 1eef94157377fa8c3d049877a27c0163 mediawiki-1.5.8.tar.gz e729190a32d54118d24bec4021b0729e mediawiki-1.4.15.tar.gz Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: (Please subscribe to receive announcements of security updates.) http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikimedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com) ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================