http://localhost:8080/trac/ticket/686 <p> On the <a class="ext-link" href="http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html"><span class="icon">​</span>MediaWiki-announce list</a>: </p> <blockquote class="citation"> <p> I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11. </p> <p> Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandlerxtension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately. </p> <p> Affected supported versions: All </p> <h2 id="Securityfixes">Security fixes</h2> <ul><li>Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way. (CVE-2014-1610) <a class="ext-link" href="https://bugzilla.wikimedia.org/show_bug.cgi?id=60339"><span class="icon">​</span>https://bugzilla.wikimedia.org/show_bug.cgi?id=60339</a> </li></ul><h2 id="BugFixesin1.22.2">Bug Fixes in 1.22.2</h2> <ul><li>(bug 58253) Check for very old PCRE versions in installer and updater </li><li>(bug 60054) Make WikiPage::$mPreparedEdit public </li></ul><p> Full release notes for 1.19.9: </p> <ul><li><a class="ext-link" href="https://www.mediawiki.org/wiki/Release_notes/1.19"><span class="icon">​</span>https://www.mediawiki.org/wiki/Release_notes/1.19</a> </li></ul></blockquote> en-us /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/686 Trac 0.12.5 chris Wed, 29 Jan 2014 10:26:03 GMT http://localhost:8080/trac/ticket/686#comment:1 http://localhost:8080/trac/ticket/686#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.5</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.5</em> </li> </ul> <p> Following the the notes at <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer#wiki.transitionnetwork.org">wiki:PenguinServer#wiki.transitionnetwork.org</a> and the last upgrade, on <a class="closed ticket" href="http://localhost:8080/trac/ticket/669" title="maintenance: Mediawiki upgrade to 1.19.10 (closed: fixed)">ticket:669</a>: </p> <pre class="wiki">sudo -i cd /web/wiki.transitionnetwork.org export MW="1.19.11" wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz wget http://download.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig gpg --verify mediawiki-$MW.tar.gz.sig gpg: Signature made Tue Jan 28 01:00:49 2014 GMT using DSA key ID 62D84F01 gpg: Good signature from "Chris Steipp &lt;csteipp@wikimedia.org&gt;" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1624 32D9 E81C 1C61 8B30 1EEC EE1F 6634 62D8 4F01 tar -zxvf mediawiki-$MW.tar.gz rsync -av mediawiki-$MW/ www/ chown root:root -R www/ chown -R www-data:www-data www/cache/ chown -R www-data:www-data www/images/ cd www/maintenance/ php update.php </pre><p> The version was checked: ​​<a class="ext-link" href="http://wiki.transitionnetwork.org/Special:Version"><span class="icon">​</span>http://wiki.transitionnetwork.org/Special:Version</a> and everthing seems fine. </p> <p> I have updated the documentation, moving the <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> notes from <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer#wiki.transitionnetwork.org">wiki:PenguinServer#wiki.transitionnetwork.org</a> to <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">wiki:MediaWiki</a>. </p> Ticket