Upgrade all MediaWiki 1.15.x instances to 1.15.2

RESOLVED FIXED

Status

--
major
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: reed, Assigned: oremj)

Tracking

Bug Flags:
needs-downtime +

Details

(Whiteboard: 03/18/2010 @ 7pm, URL)

(Reporter)

Description

9 years ago
From MediaWiki security announcement released a few days ago:

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.
Assignee: server-ops → jeremy.orem+bugs

Updated

9 years ago
Flags: needs-downtime+
Whiteboard: 03/18/2010 @ 7pm
(Assignee)

Comment 1

9 years ago
Upgraded.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.