Context Navigation

← Previous Ticket
Next Ticket →

Ticket #620 (closed maintenance: fixed)

Opened 3 years ago

Last modified 3 years ago

Upgrade MediaWiki to 1.19.9

Reported by:	chris	Owned by:	chris
Priority:	critical	Milestone:	Maintenance
Component:	Mediawiki	Keywords:
Cc:	ed	Estimated Number of Hours:	0.5
Add Hours to Ticket:	0	Billable?:	yes
Total Hours:	0.25

Description

See the announcement email:

I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and
1.19.9. These releases fix 2 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.

* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>

* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>


Additionally, the following extensions have been updated to fix security
issues:

* CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's
are not correctly hidden when this extension is used (CVE-2013-4569).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54294>

* ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability
(CVE-2013-4573).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55991>

* CentralAuth: MediaWiki developer Platonides reported a login CSRF in
CentralAuth (CVE-2012-5394).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40747>


Full release notes for 1.21.3:
<https://www.mediawiki.org/wiki/Release_notes/1.21>

Full release notes for 1.20.8:
<https://www.mediawiki.org/wiki/Release_notes/1.20>

Full release notes for 1.19.9:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

The steps followed for the last upgrade can be followed again, see ticket:595 and see also the documentation at wiki:PenguinServer#wiki.transitionnetwork.org

Change History

comment:1 Changed 3 years ago by chris

Add Hours to Ticket changed from 0.0 to 0.25
Status changed from new to closed
Resolution set to fixed
Total Hours changed from 0.0 to 0.25

Following the last upgrade, ticket:595#comment:1

sudo -i
cd /web/wiki.transitionnetwork.org
export MW="1.19.9"
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz.sig
gpg --verify mediawiki-$MW.tar.gz.sig 
tar -zxvf mediawiki-$MW.tar.gz
rsync -av mediawiki-$MW/ www/
chown root:root -R www/
chown -R www-data:www-data www/cache
chown -R www-data:www-data www/images
cd www/maintenance/
php update.php

The version was checked: http://wiki.transitionnetwork.org/Special:Version and everthing seems fine, so closing this ticket.

Note: See TracTickets for help on using tickets.

Download in other formats: