Ticket #686 (closed maintenance: fixed)

Opened 3 years ago

Last modified 3 years ago

MediaWiki 1.19.11 Update

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Mediawiki Keywords:
Cc: sam Estimated Number of Hours: 0.25
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.5


On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11.

Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandlerxtension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately.

Affected supported versions: All

Security fixes

  • Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way. (CVE-2014-1610) https://bugzilla.wikimedia.org/show_bug.cgi?id=60339

Bug Fixes in 1.22.2

  • (bug 58253) Check for very old PCRE versions in installer and updater
  • (bug 60054) Make WikiPage::$mPreparedEdit public

Full release notes for 1.19.9:

Change History

comment:1 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.0 to 0.5

Following the the notes at wiki:PenguinServer#wiki.transitionnetwork.org and the last upgrade, on ticket:669:

sudo -i
cd /web/wiki.transitionnetwork.org
export MW="1.19.11"
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz
wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig
  gpg --verify mediawiki-$MW.tar.gz.sig 
  gpg: Signature made Tue Jan 28 01:00:49 2014 GMT using DSA key ID 62D84F01
  gpg: Good signature from "Chris Steipp <csteipp@wikimedia.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 1624 32D9 E81C 1C61 8B30  1EEC EE1F 6634 62D8 4F01
tar -zxvf mediawiki-$MW.tar.gz
rsync -av mediawiki-$MW/ www/
chown root:root -R www/
chown -R www-data:www-data www/cache/
chown -R www-data:www-data www/images/
cd www/maintenance/
php update.php 

The version was checked: ​​http://wiki.transitionnetwork.org/Special:Version and everthing seems fine.

I have updated the documentation, moving the MediaWiki notes from wiki:PenguinServer#wiki.transitionnetwork.org to wiki:MediaWiki.

Note: See TracTickets for help on using tickets.