[Scummvm-devel] wiki update
Thierry Crozat
criezy at scummvm.org
Thu Apr 8 22:13:11 CEST 2010
As planned I have just finished updating the wiki to MediaWiki 1.15.3.
It went smoothly and it seems to still work fine. However if you have
problems using it after this update please drop me an email.
Thierry
Le 7 avr. 10 à 19:44, Thierry Crozat a écrit :
> Hi (again),
>
> A security fix for MediaWiki was released today. Our wiki is not too
> vulnerable to the security hole (as user scripting is disabled), but
> I will update it nonetheless. The update will happen tomorrow evening
> at 9pm GMT, unless one of you ask me to postponed it. It should not
> last more than 10 minutes, during which the wiki will be locked to be
> read only.
>
> For your information, the announcement message is the following:
> MediaWiki was found to be vulnerable to login CSRF. An attacker who
> controls a user account on the target wiki can force the victim to
> log in as the attacker, via a script on an external website. If the
> wiki is configured to allow user scripts, say with "$wgAllowUserJs =
> true" in LocalSettings.php, then the attacker can proceed to mount a
> phishing-style attack against the victim to obtain their password.
>
> Even without user scripting, this attack is a potential nuisance, and
> so all public wikis should be upgraded if possible.
>
> Our fix includes a breaking change to the API login action. Any
> clients using it will need to be updated. We apologise for making
> such a disruptive change in a minor release, but we feel that
> security is paramount.
>
> Thierry
>
More information about the Scummvm-devel
mailing list