"These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email. * By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST when establishing an SSL connection, instead of '2'. <https://bugzilla.wikimedia.org/show_bug.cgi?id=44135> <https://bugzilla.wikimedia.org/show_bug.cgi?id=42441> * MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. <https://bugzilla.wikimedia.org/show_bug.cgi?id=43518> * MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. <https://bugzilla.wikimedia.org/show_bug.cgi?id=45355> "
Thank you for the report, Manuel.
Both releases added to CVS, feel free to start the stabilization process.
Thanks, Tim. Arches, please test and mark stable: =www-apps/mediawiki-1.19.4 =www-apps/mediawiki-1.20.3 Target KEYWORDS "~alpha amd64 ppc x86"
amd64 stable
x86 stable
ppc stable
GLSA request filed.
Arches, please stabilize: =www-apps/mediawiki-1.19.5 =www-apps/mediawiki-1.20.4
(In reply to comment #8) > Arches, please stabilize: > =www-apps/mediawiki-1.19.5 > =www-apps/mediawiki-1.20.4 Sorry for the bugspam, posted to the wrong bug.
This issue was resolved and addressed in GLSA 201310-21 at http://security.gentoo.org/glsa/glsa-201310-21.xml by GLSA coordinator Sergey Popov (pinkbyte).