1011d2fc50
This is a security and bugfix release of MediaWiki 1.15.4. Two security vulnerabilities were discovered. Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It affects Internet Explorer clients only. The issue is presumed to affect all recent versions of IE, it has been confirmed on IE 6 and 8. Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer. Full details can be found at: https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset features were not protected from CSRF. This could lead to unauthorised access to private wikis. See https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details. These vulnerabilities are serious and all users are advised to upgrade. Remember that CSRF and XSS vulnerabilities can be used even against firewall-protected intranet installations, as long as the attacker can guess the URL. |
||
|---|---|---|
| .. | ||
| files | ||
| DESCR | ||
| distinfo | ||
| Makefile | ||
| MESSAGE | ||
| options.mk | ||
| PLIST | ||