Ticket #506 (closed maintenance: fixed)
Mediawiki 1.19.4 Upgrade
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Mediawiki | Keywords: | |
| Cc: | ed | Estimated Number of Hours: | 0.5 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.35 |
Description
Announcement:
I would like to announce the release of MediaWiki 1.20.3 and 1.19.4. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email.
- By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST when establishing an SSL connection, instead of '2'. https://bugzilla.wikimedia.org/show_bug.cgi?id=44135 https://bugzilla.wikimedia.org/show_bug.cgi?id=42441
- MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. https://bugzilla.wikimedia.org/show_bug.cgi?id=43518
- MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. https://bugzilla.wikimedia.org/show_bug.cgi?id=45355
Full release notes for 1.19.4: https://www.mediawiki.org/wiki/Release_notes/1.19
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-March/000125.html
Change History
comment:1 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.0 to 0.1
comment:2 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.1 to 0.35
Following the last upgrade, ticket:470#comment:11
cd /web/wiki.transitionnetwork.org/ wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig gpg --verify mediawiki-1.19.4.tar.gz.sig gpg: Signature made Mon Mar 4 18:12:00 2013 GMT using DSA key ID 62D84F01 gpg: Good signature from "Chris Steipp <csteipp@wikimedia.org>" tar -zxvf mediawiki-1.19.4.tar.gz rsync -av mediawiki-1.19.4/ www/ cd www/maintenance/ php update.php cd .. chown root:root -R www/ cd www chown -R www-data:www-data cache chown -R www-data:www-data images
And now we are running the latest version of 1.19: https://wiki.transitionnetwork.org/Special:Version and the docs have been updated, wiki:PenguinServer#wiki.transitionnetwork.org and also the duplicate ticket has been closed, ticket:505
Note: See
TracTickets for help on using
tickets.
