-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A number of security issues in MediaWiki extensions have been fixed. Users of these extensions should update to the latest version. * CentralAuth: Internal review found multiple issues that have been resolved: ** (bug 70469) Special:MergeAccount failed to validate the anti-csrf token in its forms when performing actions. <https://bugzilla.wikimedia.org/show_bug.cgi?id=70469> ** (bug 70468) The internal function to attach multiple local wiki accounts into a single, global account did not re-check that the requesting user owned the "home wiki" for that username, but assumed that user did own this account. This could allow a user to add their local account edits to a global account that they didn't own. <https://bugzilla.wikimedia.org/show_bug.cgi?id=70468> ** (bug 71749) Incomplete fix for bug 70468. The fix wasn't applied to the new feature where accounts were globalized automatically on login. <https://bugzilla.wikimedia.org/show_bug.cgi?id=71749> ** (bug 70620) When globally renaming a user, the antispoof table, which prevents similar looking names from being created, weren't updated. This potentially allowed another user to register an account with a name that looked identical to the username of a user who had been globally renamed. <https://bugzilla.wikimedia.org/show_bug.cgi?id=70620> * MobileFrontend: (bug 70009) Sherif Mansour discovered that POST parameters were being added to links generated by MobileFrontend, which could reveal the user's password after login. <https://bugzilla.wikimedia.org/show_bug.cgi?id=70009> ********************************************************************** Extension:CentralAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:CentralAuth ********************************************************************** Extension:MobileFrontend ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:MobileFrontend -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlQ1lJoACgkQ7h9mNGLYTwGdgAD/X7q6WfaBoE2SdKjZeoLE9yvs wg07Fs4kytmmSQDXa4IBAKBgaYuhuRt5j+G5Q9YNdfCCkvlSqnz7heCIX1Ddn5ma =cOb1 -----END PGP SIGNATURE----- _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
