MediaWiki 1.23.8
17 December 2014
MediaWiki version 1.23.8 is now available (security release).
Upgrading to MediaWiki 1.23.8
MediaWiki 1.23.8 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.23.8 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.23.8
Security fixes
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
- (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
Security fixes in extensions
- (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
- (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
- (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
- (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
- (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
- (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.