(T117899) XSS from wikitext when $wgArticlePath=‘$1’. Internal review
discovered an XSS vector when MediaWiki is configured with a
non-standard configuration.
(T119309) User::matchEditToken should use constant-time string
comparison. Internal review discovered that tokens were being compared
as strings, which could allow a timing attack.
(T118032) Error thrown by VirtualRESTService when POST variable starts
with ‘@’. Internal review discovered that MediaWiki was not sanitizing
parameters passed to the curl library, which could cause curl to upload
files from the webserver to an attacker.
(T115522) Passwords generated by User::randomPassword() may be shorter
than $wgMinimalPasswordLength. MediaWiki user Frank R. Farmer reported
that the password reset token could be shorter than the minimum required
password length.
(T97897) Incorrect parsing of IPs for global block. Wikimedia steward
Vituzzu reported that blocking IP addresses with zero-padded octets
resulted in a failure to block the IP address.
(T109724) A combination of Special:MyPage redirects and pagecounts
allows an external site to know the wikipedia login of an user.
Wikimedia user Xavier Combelle reported a way to identify user, when
detailed page view data is also released.
seclists.org/oss-sec/2015/q4/573
access.redhat.com/security/cve/CVE-2015-8622
access.redhat.com/security/cve/CVE-2015-8624
access.redhat.com/security/cve/CVE-2015-8625
access.redhat.com/security/cve/CVE-2015-8626
access.redhat.com/security/cve/CVE-2015-8627
access.redhat.com/security/cve/CVE-2015-8628
phabricator.wikimedia.org/T109724
phabricator.wikimedia.org/T115522
phabricator.wikimedia.org/T117899
phabricator.wikimedia.org/T118032
phabricator.wikimedia.org/T119309
phabricator.wikimedia.org/T97897