From announce mail at $URL: I would like to announce the release of MediaWiki 1.17.1. Two security issues were discovered. Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32276 The second issue was found by Tim Starling, who discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=32616
CVE-2011-4361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4361): MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions. CVE-2011-4360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4360): MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.
Thanks, everyone. GLSA vote: no.
GLSA Vote: no, too, closing noglsa.
