Change Details

T169545 - $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' 'newbie' (newly created accounts) are supposed to have more stringent rate limits applied, except the defaults for all users, 'user' were taking precedence. Affects all MediaWiki versions since 1.13.0 (Aug 2008). T187638 - When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information Allows users to see private information if they construct a URL manually. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T194605 - BotPassword can bypass CentralAuth's account lock Creating a BotPassword would allow users to bypass an account lock (supposed to prevent the user from logging in at all/taking any actions) and continue to make edits, etc. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T194237 - Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password. Hardening measure to ensure that BotPasswords can't be used to fully take over an account by changing the real password, email, etc. Affects all MediaWiki versions since 1.27.0 (Jun 2016) Fixes for all 4 issues will be released in 1.27.5/1.29.3/1.30.1/1.31.1.

T169545 - $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' 'newbie' (newly created accounts) are supposed to have more stringent rate limits applied, except the defaults for all users, 'user' were taking precedence. Affects all MediaWiki versions since 1.13.0 (Aug 2008). T187638 - When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information Allows users to see private information if they construct a URL manually. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T194605 - BotPassword can bypass CentralAuth's account lock Creating a BotPassword would allow users to bypass an account lock (supposed to prevent the user from logging in at all/taking any actions) and continue to make edits, etc. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T199029 - 1.31.0 tarball missing .htaccess files A packaging issue in the release script stripped the tarball of all .htaccess files, which are used to ensure that some directories are not web accessible if they don't need to be. Affects MediaWiki 1.31.0 (Jun 2018) only if the tarball was used, git users were not affected. Fixes for all 4 issues will be released in 1.27.5/1.29.3/1.30.1/1.31.1. We're not requesting a CVE for {T194237}, which is a hardening fix.

T169545 - $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' 'newbie' (newly created accounts) are supposed to have more stringent rate limits applied, except the defaults for all users, 'user' were taking precedence. Affects all MediaWiki versions since 1.13.0 (Aug 2008). T187638 - When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information Allows users to see private information if they construct a URL manually. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T194605 - BotPassword can bypass CentralAuth's account lock Creating a BotPassword would allow users to bypass an account lock (supposed to prevent the user from logging in at all/taking any actions) and continue to make edits, etc. Affects all MediaWiki versions since 1.27.0 (Jun 2016) T194237 - Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password.9029 - 1.31.0 tarball missing .htaccess files HardenA packaging measure to ensure that BotPasswords can't be used to fully take over an account by changing the real password, emailissue in the release script stripped the tarball of all .htaccess files, etcwhich are used to ensure that some directories are not web accessible if they don't need to be. Affects all MediaWiki versions since 1.27.0 (Jun 2016)1.31.0 (Jun 2018) only if the tarball was used, git users were not affected. Fixes for all 4 issues will be released in 1.27.5/1.29.3/1.30.1/1.31.1. We're not requesting a CVE for {T194237}, which is a hardening fix.