[Pkg-mediawiki-devel] [MediaWiki-announce] Pre-Release Announcement for MediaWiki 1.18.6, 1.19.3, and 1.20.1

Chris Steipp csteipp at wikimedia.org
Wed Nov 28 04:29:24 UTC 2012

On Thursday, November 29th, between 21:00-22:00 UTC (1-2pm PST)
Wikimedia Foundation will release security updates for current and
supported branches of the MediaWiki software. We are providing this
pre-announcement as a courtesy for administrators to be ready to
accept the fix for these on Thursday. We will send another
announcement email when the patches and tar files are ready for

* Vulnerabilities were found in both MediaWiki core and the
CentralAuth extension. Successful exploitation could allow an attacker
to compromise another user's account. Risk is considered moderate
(CVSS Base Score: 4).
* One vulnerability was discovered that could allow an attacker to
prevent users from viewing Special:RecentChanges, and other pages,
which could prevent the detection of SPAM or vandalism. Public wikis
are encouraged to upgrade.
* A flaw in the MediaWiki 1.20 API could allow a stored XSS.
Exploitation requires user interaction or an existing XSS
vulnerability, so risk of exploitation is low.

For information about how to upgrade, see

MediaWiki announcements mailing list
To unsubscribe, go to:

More information about the Pkg-mediawiki-devel mailing list