=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN129
_____________________________________________________________________

DATE                      : 03/04/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running MediaWiki versions prior to
                                                        1.5.8 and 1.4.15.

======================================================================

MediaWiki 1.5.8 and 1.4.15 are security and bugfix maintenance releases.

A bug in decoding of certain encoded links could allow injection of raw
HTML into page output; this could potentially lead to XSS attacks.

Some minor UI fixes were also made, see the change log at the bottom of
the release notes.


Release notes:
1.5.8: http://sourceforge.net/project/shownotes.php?release_id=404871
1.4.15: http://sourceforge.net/project/shownotes.php?release_id=404869

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5.8.tar.gz
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.15.tar.gz

MD5 checksums:
1eef94157377fa8c3d049877a27c0163 mediawiki-1.5.8.tar.gz
e729190a32d54118d24bec4021b0729e mediawiki-1.4.15.tar.gz


Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikimedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================