[thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Stuart Henderson-6
Could somebody who uses www/wikimedia take a look at updating it please?
Last week's security fixes include a fix for an authentication bypass bug.


----- Forwarded message from Thijs Kinkhorst <[hidden email]> -----

From: Thijs Kinkhorst <[hidden email]>
Date: Wed, 4 Sep 2013 12:18:36 +0200
To: [hidden email]
Cc: Chris Steipp <[hidden email]>
Reply-To: [hidden email]
Importance: Normal
User-Agent: SquirrelMail/1.4.23 [SVN]
Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8

Hi,

Mediawiki has announced the following security releases. The message
contains a link to the patches for various release branches.

Can CVE names be assigned please?


thanks,
Thijs

---------------------------- Original Message ----------------------------
Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
and 1.19.8
From:    "Chris Steipp" <[hidden email]>
Date:    Tue, September 3, 2013 22:50
To:      [hidden email]
         "MediaWiki-l" <[hidden email]>
         "Wikimedia developers" <[hidden email]>
--------------------------------------------------------------------------

I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
1.19.8. These releases fix 3 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.

* Mozilla, and other developers, reported a full path disclosure in
MediaWiki, when an invalid language is specified in ResourceLoader
<https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>

* An internal review found several API modules allowed anti-CSRF tokens to
be accessed via JSONP.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>

* Andreas Peetz reported an issue with the MediaWiki API where an invalid
property name could be used for XSS with older versions of Internet
Explorer.
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>


Additionally, the following extensions have been updated to fix security
issues:

* CentralAuth: An internal review found an authentication regression that
allowed an attacker to bypass authentication
<https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>

* SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
example.php script
<https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>

* CheckUser: Alex Monk reported and fixed that CheckUser didn't require
anti-CSRF tokens for checking users
<https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>

* Wikibase: Liangent reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>

* LiquidThreads: Alex Monk reported and fixed an XSS
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>



Full release notes for 1.21.2:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.20.7:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.8:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>


**********************************************************************
   1.21.2
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz

Patch to previous version (1.21.1):
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.20.7
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz

Patch to previous version (1.20.6):
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.19.8
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz

Patch to previous version (1.19.7):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   Extension:CentralAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CentralAuth

**********************************************************************
   Extension:SyntaxHighlight_GeSHi
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi

**********************************************************************
   Extension:CheckUser
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:CheckUser

**********************************************************************
   Extension:Wikibase
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Wikibase

**********************************************************************
   Extension:LiquidThreads
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:LiquidThreads
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce


----- End forwarded message -----

Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

wenheping
Please go ahead and feel free to take the maintainership of it.
Thanks !

wen

2013/9/13 Stuart Henderson <[hidden email]>:

> Could somebody who uses www/wikimedia take a look at updating it please?
> Last week's security fixes include a fix for an authentication bypass bug.
>
>
> ----- Forwarded message from Thijs Kinkhorst <[hidden email]> -----
>
> From: Thijs Kinkhorst <[hidden email]>
> Date: Wed, 4 Sep 2013 12:18:36 +0200
> To: [hidden email]
> Cc: Chris Steipp <[hidden email]>
> Reply-To: [hidden email]
> Importance: Normal
> User-Agent: SquirrelMail/1.4.23 [SVN]
> Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8
>
> Hi,
>
> Mediawiki has announced the following security releases. The message
> contains a link to the patches for various release branches.
>
> Can CVE names be assigned please?
>
>
> thanks,
> Thijs
>
> ---------------------------- Original Message ----------------------------
> Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
> and 1.19.8
> From:    "Chris Steipp" <[hidden email]>
> Date:    Tue, September 3, 2013 22:50
> To:      [hidden email]
>          "MediaWiki-l" <[hidden email]>
>          "Wikimedia developers" <[hidden email]>
> --------------------------------------------------------------------------
>
> I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
> 1.19.8. These releases fix 3 security related bugs that could affect users
> of MediaWiki. Download links are given at the end of this email.
>
> * Mozilla, and other developers, reported a full path disclosure in
> MediaWiki, when an invalid language is specified in ResourceLoader
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
>
> * An internal review found several API modules allowed anti-CSRF tokens to
> be accessed via JSONP.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
>
> * Andreas Peetz reported an issue with the MediaWiki API where an invalid
> property name could be used for XSS with older versions of Internet
> Explorer.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
>
>
> Additionally, the following extensions have been updated to fix security
> issues:
>
> * CentralAuth: An internal review found an authentication regression that
> allowed an attacker to bypass authentication
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
>
> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
> example.php script
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
>
> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require
> anti-CSRF tokens for checking users
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
>
> * Wikibase: Liangent reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
>
> * LiquidThreads: Alex Monk reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
>
>
>
> Full release notes for 1.21.2:
> <https://www.mediawiki.org/wiki/Release_notes/1.21>
>
> Full release notes for 1.20.7:
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
>
> Full release notes for 1.19.8:
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
>
> **********************************************************************
>    1.21.2
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
>
> Patch to previous version (1.21.1):
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    1.20.7
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
>
> Patch to previous version (1.20.6):
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    1.19.8
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
>
> Patch to previous version (1.19.7):
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    Extension:CentralAuth
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CentralAuth
>
> **********************************************************************
>    Extension:SyntaxHighlight_GeSHi
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
>
> **********************************************************************
>    Extension:CheckUser
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CheckUser
>
> **********************************************************************
>    Extension:Wikibase
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:Wikibase
>
> **********************************************************************
>    Extension:LiquidThreads
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:LiquidThreads
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
>
>
> ----- End forwarded message -----

Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Stuart Henderson-6
On 2013/09/13 19:01, wen heping wrote:
> Please go ahead and feel free to take the maintainership of it.

I don't use it, but if security fixes aren't handled reasonably quickly, there
isn't much point in having webapps in ports.

(Wordpress also needs some update love if anyone interested is reading - remote
code execution in some cases).

Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Kirill Bychkov
On Fri, September 13, 2013 15:42, Stuart Henderson wrote:
> On 2013/09/13 19:01, wen heping wrote:
>> Please go ahead and feel free to take the maintainership of it.
>
> I don't use it, but if security fixes aren't handled reasonably quickly, there
> isn't much point in having webapps in ports.
>
> (Wordpress also needs some update love if anyone interested is reading -
> remote
> code execution in some cases).

I have patch for latest wordpress. It works with fresh install, but I have
problems while updating from 3.5.2. May be my setup is some way incompatible
with new version...

If anyone can run some update tests see attachment.

>
>

wordpress-3.6.1.patch (20K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

"Webapps" in ports (was: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8])

Matthias Kilian
Hi,

On Fri, Sep 13, 2013 at 06:17:40PM +0400, Kirill Bychkov wrote:

> On Fri, September 13, 2013 15:42, Stuart Henderson wrote:
> > On 2013/09/13 19:01, wen heping wrote:
> >> Please go ahead and feel free to take the maintainership of it.
> >
> > I don't use it, but if security fixes aren't handled reasonably quickly, there
> > isn't much point in having webapps in ports.
> >
> > (Wordpress also needs some update love if anyone interested is reading -
> > remote
> > code execution in some cases).
>
> I have patch for latest wordpress. It works with fresh install, but I have
> problems while updating from 3.5.2. May be my setup is some way incompatible
> with new version...

Well, wordpress is a perfect example for something that shouldn't be
provided as an OpenBSD (or any other system distribution) package...

When updating, you may have to push some buttons to make the updated
version work.

It's unknown *which* buttons you'll have to push, because it depends
on what plugins and themes you're using, and in which ways you
customised your wordpress installations. (Or in which ways you
*patched* it to make it a little bit less insane than the upstream
version)

> If anyone can run some update tests see attachment.

Even if I tested my local toy installation of wordpress (from the
wordpress package) this wouldn't say anything about installations
with whatever configurations and whatever plugins and themes
installed.

And did anyone notice that an update of wordpress from 3.5 to 3.6
zaps some outdated but probably still used theme? Guess what'll
happen.  People stupid enough using wordpress (because it's so easy
to pkg_add it) will complain that they now get "white pages" [tm].

I really think we should stop supporting those "webapps" that just
don't fit into a system distribution but have their own ecosystem
(where users are advised to "ftp" to their "webspace" and similar)

Ciao,
        Kili

Reply | Threaded
Open this post in threaded view
|

Re: "Webapps" in ports (was: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8])

Marc Espie-2
On Fri, Sep 13, 2013 at 10:30:19PM +0200, Matthias Kilian wrote:
> I really think we should stop supporting those "webapps" that just
> don't fit into a system distribution but have their own ecosystem
> (where users are advised to "ftp" to their "webspace" and similar)

I disagre vastly, just for the fact that sometimes, there are patches
that are useful mostly for us, or some kind of adaptation to get
some libraries to work correctly (like sthen did to get pdf from
drupal).  Plus there's some editorial work involved, we don't provide
all the themes and modules, but just a reasonable subset of them...

Reply | Threaded
Open this post in threaded view
|

Re: "Webapps" in ports (was: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8])

David Gwynne-5
for what its worth, i have to run a bunch of things at work which include webapps like wordpress, drupal, and mediawiki, but the versions of these we (openbsd) package are completely unusable for us (at work).

however, if the packages go away it doesnt actually make it easier for us to keep doing what we're doing at work. the existence of the packages isnt obstructive at all, and if the packages do help some people then i think thats a good enough argument for whoever is happy maintaining them to keep doing so.

dlg

On 14/09/2013, at 6:47 AM, Marc Espie <[hidden email]> wrote:

> On Fri, Sep 13, 2013 at 10:30:19PM +0200, Matthias Kilian wrote:
>> I really think we should stop supporting those "webapps" that just
>> don't fit into a system distribution but have their own ecosystem
>> (where users are advised to "ftp" to their "webspace" and similar)
>
> I disagre vastly, just for the fact that sometimes, there are patches
> that are useful mostly for us, or some kind of adaptation to get
> some libraries to work correctly (like sthen did to get pdf from
> drupal).  Plus there's some editorial work involved, we don't provide
> all the themes and modules, but just a reasonable subset of them...
>


Reply | Threaded
Open this post in threaded view
|

Re: "Webapps" in ports (was: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8])

Kirill Bychkov
In reply to this post by Matthias Kilian
On Sat, September 14, 2013 00:30, Matthias Kilian wrote:

> Hi,
>
> On Fri, Sep 13, 2013 at 06:17:40PM +0400, Kirill Bychkov wrote:
>> On Fri, September 13, 2013 15:42, Stuart Henderson wrote:
>> > On 2013/09/13 19:01, wen heping wrote:
>> >> Please go ahead and feel free to take the maintainership of it.
>> >
>> > I don't use it, but if security fixes aren't handled reasonably quickly,
>> there
>> > isn't much point in having webapps in ports.
>> >
>> > (Wordpress also needs some update love if anyone interested is reading -
>> > remote
>> > code execution in some cases).
>>
>> I have patch for latest wordpress. It works with fresh install, but I have
>> problems while updating from 3.5.2. May be my setup is some way incompatible
>> with new version...
>
> Well, wordpress is a perfect example for something that shouldn't be
> provided as an OpenBSD (or any other system distribution) package...
>
> When updating, you may have to push some buttons to make the updated
> version work.
>
> It's unknown *which* buttons you'll have to push, because it depends
> on what plugins and themes you're using, and in which ways you
> customised your wordpress installations. (Or in which ways you
> *patched* it to make it a little bit less insane than the upstream
> version)
>
>> If anyone can run some update tests see attachment.
>
> Even if I tested my local toy installation of wordpress (from the
> wordpress package) this wouldn't say anything about installations
> with whatever configurations and whatever plugins and themes
> installed.
>
> And did anyone notice that an update of wordpress from 3.5 to 3.6
> zaps some outdated but probably still used theme? Guess what'll
> happen.  People stupid enough using wordpress (because it's so easy
> to pkg_add it) will complain that they now get "white pages" [tm].

So we can add a note about this fact in upgrade guide, no?
Maintainers are supposed to use packages the're maintaining and they should
test at least common update scenarios.
BTW, thanks for a hint with white pages ;)

> I really think we should stop supporting those "webapps" that just
> don't fit into a system distribution but have their own ecosystem
> (where users are advised to "ftp" to their "webspace" and similar)

Well, for someone it will be a pain to set correct permissions for such
updates. And they end up with "chmod -R 777 /var/www/wordpress".

> Ciao,
> Kili
>
>


Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Craig Skinner-3
In reply to this post by Stuart Henderson-6
On 2013-09-13 Fri 12:42 PM |, Stuart Henderson wrote:
>
> I don't use it, but if security fixes aren't handled reasonably quickly, there
> isn't much point in having webapps in ports.
>

"webapps", ugh.

A trendy contradiction in terms.

Woe betide the day when computers have only port 80, and EVERYTHING is
rammed down it's throat.

Puke.
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Jeremie Courreges-Anglas-2
[hidden email] (Craig R. Skinner) writes:

> On 2013-09-13 Fri 12:42 PM |, Stuart Henderson wrote:
>>
>> I don't use it, but if security fixes aren't handled reasonably quickly, there
>> isn't much point in having webapps in ports.
>>
>
> "webapps", ugh.
>
> A trendy contradiction in terms.
>
> Woe betide the day when computers have only port 80, and EVERYTHING is
> rammed down it's throat.
>
> Puke.

Seems like it's cool to have an opinion about how people should speak or
what software they should use.  It'd be even better if your mail could
actually help porters and users who would like to see those security
issues fixed.

--
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

Reply | Threaded
Open this post in threaded view
|

Re: [thijs@debian.org: [oss-security] CVE request: MediaWiki Security Release: 1.21.2, 1.20.7 and 1.19.8]

Kirill Bychkov
In reply to this post by Stuart Henderson-6
On Fri, September 13, 2013 12:49, Stuart Henderson wrote:
> Could somebody who uses www/wikimedia take a look at updating it please?
> Last week's security fixes include a fix for an authentication bypass bug.

Hi.
Two previous updates are bug fixing only, so diff is simple.
I've made a simple test - installed old version, configured it and made some
changes to main page. Then updated to 1.19.8. Still works.
Summary log from upstream (1.19.6->1.19.7->1.19.8):
    SECURITY: Sanitize ResourceLoader exception messages
    SECURITY: Token-getting functions will fail when using jsonp callbacks.
    SECURITY: Fix extension detection with 2 .'s
    Allow a string other than '*' as condition for DatabaseBase::delete()
    Purge upstream caches when deleting file assets.
    jquery.tablesorter: Add missing dependency on jquery.mwExtension
    (bug 48306) SECURITY: Run file validation checks on chunked uploads, and
chunks of upload, during the upload process.

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mediawiki/Makefile,v
retrieving revision 1.43
diff -u -p -u -r1.43 Makefile
--- Makefile    12 Aug 2013 04:11:21 -0000      1.43
+++ Makefile    19 Sep 2013 12:19:03 -0000
@@ -2,10 +2,9 @@

 COMMENT =      web-based collaborative editing environment

-V =            1.19.6
+V =            1.19.8
 DISTNAME =     mediawiki-${V}
 CATEGORIES =   www
-REVISION =     0

 HOMEPAGE =     http://www.mediawiki.org/

Index: distinfo
===================================================================
RCS file: /cvs/ports/www/mediawiki/distinfo,v
retrieving revision 1.25
diff -u -p -u -r1.25 distinfo
--- distinfo    4 May 2013 08:45:41 -0000       1.25
+++ distinfo    19 Sep 2013 12:19:03 -0000
@@ -1,2 +1,2 @@
-SHA256 (mediawiki-1.19.6.tar.gz) = xQVmNcCZuPxzYoBwR7G9LhDC5PsSkEv0rOOwuEdGk6I=
-SIZE (mediawiki-1.19.6.tar.gz) = 18550832
+SHA256 (mediawiki-1.19.8.tar.gz) = 738LrvXiaGC1D6UDEZYmiFvvfpsB4e/zDNCYBrKygAo=
+SIZE (mediawiki-1.19.8.tar.gz) = 18553824

>
>
> ----- Forwarded message from Thijs Kinkhorst <[hidden email]> -----
>
> From: Thijs Kinkhorst <[hidden email]>
> Date: Wed, 4 Sep 2013 12:18:36 +0200
> To: [hidden email]
> Cc: Chris Steipp <[hidden email]>
> Reply-To: [hidden email]
> Importance: Normal
> User-Agent: SquirrelMail/1.4.23 [SVN]
> Subject: [oss-security] CVE request: MediaWiki Security Release: 1.21.2,
> 1.20.7 and 1.19.8
>
> Hi,
>
> Mediawiki has announced the following security releases. The message
> contains a link to the patches for various release branches.
>
> Can CVE names be assigned please?
>
>
> thanks,
> Thijs
>
> ---------------------------- Original Message ----------------------------
> Subject: [MediaWiki-announce] MediaWiki Security Release: 1.21.2, 1.20.7
> and 1.19.8
> From:    "Chris Steipp" <[hidden email]>
> Date:    Tue, September 3, 2013 22:50
> To:      [hidden email]
>          "MediaWiki-l" <[hidden email]>
>          "Wikimedia developers" <[hidden email]>
> --------------------------------------------------------------------------
>
> I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and
> 1.19.8. These releases fix 3 security related bugs that could affect users
> of MediaWiki. Download links are given at the end of this email.
>
> * Mozilla, and other developers, reported a full path disclosure in
> MediaWiki, when an invalid language is specified in ResourceLoader
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=46332>
>
> * An internal review found several API modules allowed anti-CSRF tokens to
> be accessed via JSONP.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49090>
>
> * Andreas Peetz reported an issue with the MediaWiki API where an invalid
> property name could be used for XSS with older versions of Internet
> Explorer.
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52746>
>
>
> Additionally, the following extensions have been updated to fix security
> issues:
>
> * CentralAuth: An internal review found an authentication regression that
> allowed an attacker to bypass authentication
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=52338>
>
> * SyntaxHighlight_GeSHi: Mateusz Goik reported an XSS in the included
> example.php script
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=49070>
>
> * CheckUser: Alex Monk reported and fixed that CheckUser didn't require
> anti-CSRF tokens for checking users
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=45019>
>
> * Wikibase: Liangent reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53472>
>
> * LiquidThreads: Alex Monk reported and fixed an XSS
> <https://bugzilla.wikimedia.org/show_bug.cgi?id=53320>
>
>
>
> Full release notes for 1.21.2:
> <https://www.mediawiki.org/wiki/Release_notes/1.21>
>
> Full release notes for 1.20.7:
> <https://www.mediawiki.org/wiki/Release_notes/1.20>
>
> Full release notes for 1.19.8:
> <https://www.mediawiki.org/wiki/Release_notes/1.19>
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
>
> **********************************************************************
>    1.21.2
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz
>
> Patch to previous version (1.21.1):
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.2.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    1.20.7
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz
>
> Patch to previous version (1.20.6):
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-core-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.7.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    1.19.8
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz
>
> Patch to previous version (1.19.7):
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.8.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
>    Extension:CentralAuth
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CentralAuth
>
> **********************************************************************
>    Extension:SyntaxHighlight_GeSHi
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:SyntaxHighlight_GeSHi
>
> **********************************************************************
>    Extension:CheckUser
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:CheckUser
>
> **********************************************************************
>    Extension:Wikibase
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:Wikibase
>
> **********************************************************************
>    Extension:LiquidThreads
> **********************************************************************
> Information and Download:
> https://www.mediawiki.org/wiki/Extension:LiquidThreads
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
>
>
> ----- End forwarded message -----
>
>