==================================================================== CERT-Renater Note d'Information No. 2019/VULN182 _____________________________________________________________________ DATE : 12/06/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.32.2, 1.31.2, 1.30.2, 1.27.6. ===================================================================== https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-June/000230.html _____________________________________________________________________ Hi all, I would like to announce the release of MediaWiki 1.32.2, 1.31.2, 1.30.2 and 1.27.6! These releases fix 11 security issues in core (not 12 as reported in the pre-release announcement. This was a mistake, sorry!) and also includes some previously committed to git as minor security and hardening patches. Download links are given at the end of this email. Patches will be pushed to Gerrit after this email is sent, and will land into the relevant branches as fast as our CI infrastructure allows. Git tags will follow soon after. All related tasks will be made public in Phabricator too in the following few hours. Please note that December 2018 was the End-Of-Life date for MediaWiki 1.30. This means that MediaWiki 1.30.2 will be the last security release for that version, barring any unforeseen issues. We would strongly encourage users of MediaWiki 1.30 to upgrade to MediaWiki 1.31 (LTS version), released in June 2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until July 2021. See for more information. June 2019 is the scheduled End-Of-Life date for MediaWiki 1.27 (the old LTS version). This means that MediaWiki 1.27.6 will be the last security release for that version, barring any unforeseen issues. We would strongly encourage users of MediaWiki 1.27 to upgrade to MediaWiki 1.31 (LTS version), released in June 2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until July 2021. See for more information. This release also serves as a maintenance release for these branches. == Security fixes == * (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover. * (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table. * (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script. * (T208881) blacklist CSS var(). * (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API. * (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly. * (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. * (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF). * (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags. * (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page. * (T221739, CVE-2019-11358) Fix potential XSS in jQuery. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T197279 * https://phabricator.wikimedia.org/T204729 * https://phabricator.wikimedia.org/T207603 * https://phabricator.wikimedia.org/T208881 * https://phabricator.wikimedia.org/T199540 * https://phabricator.wikimedia.org/T212118 * https://phabricator.wikimedia.org/T209794 * https://phabricator.wikimedia.org/T222036 * https://phabricator.wikimedia.org/T222038 * https://phabricator.wikimedia.org/T221739 * https://phabricator.wikimedia.org/T25227 == Release notes == Full release notes for 1.27.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27 https://www.mediawiki.org/wiki/Release_notes/1.27 Full release notes for 1.30.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30 https://www.mediawiki.org/wiki/Release_notes/1.30 Full release notes for 1.31.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 https://www.mediawiki.org/wiki/Release_notes/1.31 Full release notes for 1.32.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.32 https://www.mediawiki.org/wiki/Release_notes/1.32 For information about how to upgrade, see ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz Patch to previous version (1.27.5): https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz Patch to previous version (1.30.1): https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz Patch to previous version (1.31.1): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz Patch to previous version (1.32.1): https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz Patch to previous version (1.33.1): https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================