Context Navigation

← Previous Ticket
Next Ticket →

Ticket #694 (closed maintenance: fixed)

Opened 3 years ago

Last modified 3 years ago

Mediawiki 1.19.12 upgrade

Reported by:	chris	Owned by:	chris
Priority:	major	Milestone:	Maintenance
Component:	Mediawiki	Keywords:
Cc:	ed	Estimated Number of Hours:	0.0
Add Hours to Ticket:	0	Billable?:	yes
Total Hours:	0.25

Description

On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.3, 1.21.6 and 1.19.12.
These releases fix a number of security related bugs that could affect users
of MediaWiki. In addition, MediaWiki 1.22.3 is a maintenance release. It fixes
several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list of
changes in this version. Download links are given at the end of this email.

Security fixes

(bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
(bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
(bug 61362) SECURITY: API: Don't find links in the middle of api.php links.

Change History

comment:1 Changed 3 years ago by chris

Add Hours to Ticket changed from 0.0 to 0.25
Status changed from new to closed
Resolution set to fixed
Total Hours changed from 0.0 to 0.25

Following the notes from the last upgrade, ticket:686

sudo -i
cd /web/wiki.transitionnetwork.org
export MW="1.19.12"
wget http://releases.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz
wget http://releases.wikimedia.org/mediawiki/1.19/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig
  gpg --verify mediawiki-$MW.tar.gz.sig 
  gpg: Signature made Fri Feb 28 01:57:30 2014 GMT using RSA key ID 7F901A30
  gpg: Good signature from "Mark A. Hershberger <mah@everybody.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 3CEF 8262 806D 3F0B 6BA1  DBDD 7956 EE47 7F90 1A30
tar -zxvf mediawiki-$MW.tar.gz
rsync -av mediawiki-$MW/ www/
chown root:root -R www/
chown -R www-data:www-data www/cache/
chown -R www-data:www-data www/images/
cd www/maintenance/
php update.php

The version was checked: http://wiki.transitionnetwork.org/Special:Version and everthing seems fine.

The wiki:MediaWiki documentation was updated to reflect the new download URL.

Note: See TracTickets for help on using tickets.

Download in other formats: