Path to this page:
Next | Query returned 2 messages, browsing 1 to 10 | previous
CVS Commit History:
2010-04-07 12:21:11 by Matthias Scheler | Files touched by this commit (2) | |
Log message:
Pullup ticket #3073 - requested by martti
mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.11
- www/mediawiki/distinfo 1.7
---
Module Name: pkgsrc
Committed By: martti
Date: Wed Apr 7 05:40:11 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Log message:
Updated www/mediawiki to 1.15.3
This is a security and bugfix release of MediaWiki 1.15.3 and MediaWiki
1.16.0beta2.
MediaWiki was found to be vulnerable to login CSRF. An attacker who
controls a user account on the target wiki can force the victim to log
in as the attacker, via a script on an external website. If the wiki is
configured to allow user scripts, say with "$wgAllowUserJs = true" in
LocalSettings.php, then the attacker can proceed to mount a
phishing-style attack against the victim to obtain their password.
Even without user scripting, this attack is a potential nuisance, and so
all public wikis should be upgraded if possible.
Our fix includes a breaking change to the API login action. Any clients
using it will need to be updated. We apologise for making such a
disruptive change in a minor release, but we feel that security is
paramount.
For more details see https://bugzilla.wikimedia.org/show_bug.cgi?id=23076
|
2010-03-09 11:51:52 by Matthias Scheler | Files touched by this commit (2) | |
Log message:
Pullup ticket #3046 - requested by martti
mediawiki: security update
Revisions pulled up:
- www/mediawiki/Makefile 1.10
- www/mediawiki/distinfo 1.6
---
Module Name: pkgsrc
Committed By: martti
Date: Tue Mar 9 05:16:42 UTC 2010
Modified Files:
pkgsrc/www/mediawiki: Makefile distinfo
Log message:
Updated www/mediawiki to 1.15.2
Two security issues were discovered:
A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.
A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.
Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.
|
Next | Query returned 2 messages, browsing 1 to 10 | previous