Ticket #506 (closed maintenance: fixed)

Opened 4 years ago

Last modified 4 years ago

Mediawiki 1.19.4 Upgrade

Reported by: chris Owned by: chris
Priority: major Milestone:
Component: Mediawiki Keywords:
Cc: ed Estimated Number of Hours: 0.5
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.35



I would like to announce the release of MediaWiki 1.20.3 and 1.19.4. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email.

  • MediaWiki developer Krenair discovered that the full user object, including password hash, could be returned when unblocking a user by the API. Exploitation of this vulnerability requires the user to have permissions to unblock users, by default this is limited to users in the sysop group. https://bugzilla.wikimedia.org/show_bug.cgi?id=43518
  • MediaWiki developer Platonides discovered that the maintenance script mwdoc-filter.php did not check if it was being run via the CLI, and could allow an attacker to read arbitrary files if PHP's register_globals was enabled and the .htaccess file in the maintenance directory, which by default denies access for all users, was disabled. https://bugzilla.wikimedia.org/show_bug.cgi?id=45355

Full release notes for 1.19.4: https://www.mediawiki.org/wiki/Release_notes/1.19


Change History

comment:1 Changed 4 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

comment:2 Changed 4 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.1 to 0.35

Following the last upgrade, ticket:470#comment:11

cd /web/wiki.transitionnetwork.org/
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig
gpg --verify mediawiki-1.19.4.tar.gz.sig
 gpg: Signature made Mon Mar  4 18:12:00 2013 GMT using DSA key ID 62D84F01
 gpg: Good signature from "Chris Steipp <csteipp@wikimedia.org>"
tar -zxvf mediawiki-1.19.4.tar.gz
rsync -av mediawiki-1.19.4/ www/
cd www/maintenance/
php update.php 
cd ..
chown root:root -R www/
cd www
chown -R www-data:www-data cache
chown -R www-data:www-data images

And now we are running the latest version of 1.19: https://wiki.transitionnetwork.org/Special:Version and the docs have been updated, wiki:PenguinServer#wiki.transitionnetwork.org and also the duplicate ticket has been closed, ticket:505

comment:3 Changed 4 years ago by chris

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.