[Scummvm-devel] Wiki update
Thierry Crozat
criezy at scummvm.org
Sat May 29 15:12:07 CEST 2010
Hi all,
I am planning to update our wiki to MediaWiki 1.15.4 on Sunday
morning (i.e. tomorrow morning) around 10am UK time. This is a small
update and it shouldn't take long. As usual I will set the wiki in
read-only and do a backup before proceeding. I will also be on IRC
all the while.
If this time frame is a problem for you, please let me know and I
will postpone the update to Monday morning.
Thierry
NB: Here is what the MediaWiki team had to say on the update:
Two security vulnerabilities were discovered.
Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.
Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687
A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.
These vulnerabilities are serious and all users are advised to
upgrade. Remember that CSRF and XSS vulnerabilities can be used even
against firewall-protected intranet installations, as long as the
attacker can guess the URL.
More information about the Scummvm-devel
mailing list