[om-infra] [MediaWiki-announce] Security Release: 1.26.3, 1.25.6, and 1.23.14
Jean-Claude Vanier
jclvanier at gmail.com
Sun May 22 11:18:24 EDT 2016
Upgraded to 1.25.6
2016-05-20 19:05 GMT+02:00 Chad via OM-Infra <om-infra at ml.openmandriva.org>:
> I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and
> 1.23.14.
>
> These releases fix sixteen security issues in core, one issue in the bundled
> extension SyntaxHighlight_GeSHi and one issue in the non-bundled
> extension Scribunto.
> Download links are given at the end of this email.
>
> == Security fixes ==
>
> * T122056: Old tokens are remaining valid within a new session
> * T127114: Login throttle can be tricked using non-canonicalized usernames
> * T123653: Cross-domain policy regexp is too narrow
> * T123071: Incorrectly identifying http link in a's href attributes, due to
> m modifier in regex
> * T129506: MediaWiki:Gadget-popups.js isn't renderable
> * T125283: Users occasionally logged in as different users after
> SessionManager deployment
> * T103239: Patrol allows click catching and patrolling of any page
> * T122807: [tracking] Check php crypto primatives
> * T98313: Graphs can leak tokens, leading to CSRF
> * T130947: Diff generation should use PoolCounter
> * T133507: Careless use of $wgExternalLinkTarget is insecure
> * T132874: API action=move is not rate limited
>
> This fix affects both core and SyntaxHighlight_GeSHi:
> * T110143: strip markers can be used to get around html attribute escaping
> in (many?) parser tags
>
> These two fixes are not applicable to 1.23.14 as the 1.23 branch does not
> contain pbkdf2 support.
> * T116030: Increase pbkdf2 parameter strengths
> * T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
>
> This fix is already in master and the 1.27 release branch, and is just being
> backported to 1.23 and 1.25:
> * T126685: Globally throttle password attempts
>
> == Links to all mentioned tasks ==
> https://phabricator.wikimedia.org/T122056
> https://phabricator.wikimedia.org/T127114
> https://phabricator.wikimedia.org/T123653
> https://phabricator.wikimedia.org/T123071
> https://phabricator.wikimedia.org/T129506
> https://phabricator.wikimedia.org/T125283
> https://phabricator.wikimedia.org/T103239
> https://phabricator.wikimedia.org/T122807
> https://phabricator.wikimedia.org/T98313
> https://phabricator.wikimedia.org/T130947
> https://phabricator.wikimedia.org/T133507
> https://phabricator.wikimedia.org/T132874
> https://phabricator.wikimedia.org/T110143
> https://phabricator.wikimedia.org/T116030
> https://phabricator.wikimedia.org/T127420
> https://phabricator.wikimedia.org/T126685
>
> == Release notes ==
>
> Full release notes for 1.26.3:
> <https://www.mediawiki.org/wiki/Release_notes/1.26>
>
> Full release notes for 1.25.6:
> <https://www.mediawiki.org/wiki/Release_notes/1.25>
>
> Full release notes for 1.23.14:
> <https://www.mediawiki.org/wiki/Release_notes/1.23>
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
> **********************************************************************
> 1.26.3
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
>
> Patch to previous version:
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig
> https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> 1.25.6
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
>
> Patch to previous version:
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig
> https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> 1.23.14
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
>
> Patch to previous version:
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig
> https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> -Chad H. & Chris S.
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
> _______________________________________________
> OM-Infra mailing list
> OM-Infra at ml.openmandriva.org
> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
More information about the OM-Infra
mailing list