id summary reporter owner description type status priority milestone component resolution keywords cc estimatedhours hours billable totalhours 686 MediaWiki 1.19.11 Update chris chris "On the [http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html MediaWiki-announce list]: > I would like to announce the release of !MediaWiki 1.22.2, 1.21.5 and 1.19.11. > > Your !MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for !DjVu (natively supported by !MediaWiki) or PDF files (in combination with the !PdfHandlerxtension). Neither file type is enabled by default in !MediaWiki installations. If you are affected, we strongly urge you to update immediately. > > Affected supported versions: All > > == Security fixes == > > * Netanel Rubin from Check Point discovered a remote code execution > vulnerability in !MediaWiki's thumbnail generation for !DjVu files. Internal > review also discovered similar logic in the !PdfHandler extension, which > could be exploited in a similar way. (CVE-2014-1610) > https://bugzilla.wikimedia.org/show_bug.cgi?id=60339 > > == Bug Fixes in 1.22.2 == > > * (bug 58253) Check for very old PCRE versions in installer and updater > * (bug 60054) Make WikiPage::$mPreparedEdit public > > Full release notes for 1.19.9: > > * https://www.mediawiki.org/wiki/Release_notes/1.19 " maintenance closed major Maintenance Mediawiki fixed sam 0.25 0 1 0.5