==================================================================== CERT-Renater Note d'Information No. 2018/VULN291 _____________________________________________________________________ DATE : 21/09/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.31.1, 1.30.1, 1.29.3, 1.27.5. ===================================================================== http://lists.wikimedia.org/pipermail/mediawiki-announce/2018-September/000223.html _____________________________________________________________________ I would like to announce the release of MediaWiki 1.31.1, 1.30.1, 1.29.3 and 1.27.5! These releases fix 4 security issues in core and also includes some previously committed to git minor security and hardening patches. Download links are given at the end of this email. Patches will be pushed to Gerrit after this email is sent, and will land into the relevant branches as fast as our CI infrastructure allows. Git tags will follow soon after. All related tasks will be made public in Phabricator too in the following few hours. Please note that July 2018 was the End-Of-Life date for MediaWiki 1.29. This means that MediaWiki 1.29.3 will be the last security release for that version, barring any unforeseen issues. We would strongly encourage users of MediaWiki 1.29 to upgrade to MediaWiki 1.31, released in June 2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until July 2021. See for more information. The patch files for this release are larger than normal as we are switching to a new release script that more aggressively removes dotfiles and other development files. Extensions missing from previous releases have been re-added, and unnecessary dependancies in vendor have been removed. This release also serves as a maintenance release for these branches. == Security fixes == * (T169545, CVE-2018-0503) $wgRateLimits entry for 'user' overrides 'newbie'. * (T194605, CVE-2018-0505) BotPasswords can bypass CentralAuth's account lock. Reported by Rxy. * (T187638, CVE-2018-0504) When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information. Reported by JJMC89. * (T193237) Special:BotPasswords should require reauthenticate. No CVE was issued since this is a hardening measure. The following only affects the 1.31 tarball: * (T199029, CVE-2018-13258) Tarball was missing .htaccess files. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T169545 * https://phabricator.wikimedia.org/T194605 * https://phabricator.wikimedia.org/T187638 * https://phabricator.wikimedia.org/T193237 * https://phabricator.wikimedia.org/T199029 == Release notes == Full release notes for 1.27.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27 https://www.mediawiki.org/wiki/Release_notes/1.27 Full release notes for 1.29.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29 https://www.mediawiki.org/wiki/Release_notes/1.29 Full release notes for 1.30.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30 https://www.mediawiki.org/wiki/Release_notes/1.30 Full release notes for 1.31.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 https://www.mediawiki.org/wiki/Release_notes/1.31 For information about how to upgrade, see ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz Patch to previous version (1.27.4): https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz Patch to previous version (1.29.2): https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz Patch to previous version (1.30.0): https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz Patch to previous version (1.31.0): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================