===================================================================== CERT-Renater Note d'Information No. 2013/VULN097 _____________________________________________________________________ DATE : 06/03/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.20.3, 1.19.4. ====================================================================== http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-March/000125.html ______________________________________________________________________ I would like to announce the release of MediaWiki 1.20.3 and 1.19.4. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST when establishing an SSL connection, instead of '2'. * MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. * MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. Full release notes for 1.20.3: Full release notes for 1.19.4: For information about how to upgrade, see ********************************************************************** 1.20.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz Patch to previous version (1.20.2), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ********************************************************************** 1.19.4 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz Patch to previous version (1.19.3), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz.sig Public keys: https://secure.wikimedia.org/keys.html ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================