MediaWiki 1.32.2
7 June 2019
MediaWiki version 1.32.2 is now available (security release).
Upgrading to MediaWiki 1.32.2
MediaWiki 1.32.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.32.2 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.32.2
Security
- (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.
- (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table.
- (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.
- (T208881) blacklist CSS var().
- (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
- (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly.
- (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.
- (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF).
- (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags.
- (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
- (T221739, CVE-2019-11358) Fix potential XSS in jQuery.