Security update for MediaWiki
All MediaWiki users are advised by the developers to upgrade to MediaWiki 1.13.3 – 1.12.2 or 1.6.11, which have been released as a security update to the free software wiki package. David Remahl of Apple's Product Security team identified a number of security issues in the MediaWiki software, which in turn led the developers to further problems. Four vulnerabilities are closed by the update. Cross site scripting vulnerabilities were found in MediaWiki versions 1.13.0 to 1.13.2 and two local script injection vulnerabilities were identified for all MediaWiki versions with uploads enabled. A CSRF (Cross-Site Resource Forgery) vulnerability was discovered in the Special:Import
feature, which could allow an attacker to access a legitimate users session on a wiki.
The developers have put an update for 1.12.2 online, but this is unfortunately broken and users are directed to pull the 1.12.2 updates directly from the Subversion repository.
See also:
- MediaWiki 1.13.3 – 1.12.2 – 1.6.11 security update, MediaWiki advisory and links to updated packages.
(djwm)