===================================================================== CERT-Renater Note d'Information No. 2013/VULN516 _____________________________________________________________________ DATE : 15/11/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): systems running MediaWiki version prior to 1.21.3, 1.20.8, 1.19.9. ====================================================================== http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-November/000135.html ______________________________________________________________________ I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and 1.19.9. These releases fix 2 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * Kevin Israel (Wikipedia user PleaseStand) identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist (CVE-2013-4567, CVE-2013-4568). * Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users (CVE-2013-4572). Additionally, the following extensions have been updated to fix security issues: * CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's are not correctly hidden when this extension is used (CVE-2013-4569). * ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability (CVE-2013-4573). * CentralAuth: MediaWiki developer Platonides reported a login CSRF in CentralAuth (CVE-2012-5394). Full release notes for 1.21.3: Full release notes for 1.20.8: Full release notes for 1.19.9: For information about how to upgrade, see ********************************************************************** 1.21.3 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.tar.gz Patch to previous version (1.21.2), without interface text: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.3.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.3.patch.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.3.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.20.8 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.tar.gz Patch to previous version (1.20.7), without interface text: http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.8.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.tar.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.8.patch.gz.sig http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.8.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.19.9 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.tar.gz Patch to previous version (1.19.8), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.9.patch.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.9.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.9.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.9.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth ********************************************************************** Extension:CentralNotice ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralNotice ********************************************************************** Extension:CleanChanges ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CleanChanges ********************************************************************** Extension:ZeroRatedMobileAccess ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:ZeroRatedMobileAccess ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================