Transition Technology: Ticket #813: MediaWiki 1.23.7 http://localhost:8080/trac/ticket/813 <p> The <a class="ext-link" href="https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-November/000170.html"><span class="icon">​</span>announcement email</a>: </p> <p> I would like to announce the release of <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> 1.23.7, 1.22.14 and 1.19.22. This is a regular security and maintenance release. Download links are given at the end of this email. </p> <blockquote class="citation"> <h2 id="Securityfixes">Security fixes</h2> <ul><li>(bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy. <a class="ext-link" href="https://phabricator.wikimedia.org/T68776"><span class="icon">​</span>https://phabricator.wikimedia.org/T68776</a> <a class="ext-link" href="https://phabricator.wikimedia.org/T73478"><span class="icon">​</span>https://phabricator.wikimedia.org/T73478</a> </li></ul><ul><li>(bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. <a class="ext-link" href="https://phabricator.wikimedia.org/T72901"><span class="icon">​</span>https://phabricator.wikimedia.org/T72901</a> </li></ul><ul><li>(bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario. <a class="ext-link" href="https://phabricator.wikimedia.org/T73111"><span class="icon">​</span>https://phabricator.wikimedia.org/T73111</a> </li></ul><ul><li>(bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff. <a class="ext-link" href="https://phabricator.wikimedia.org/T74222"><span class="icon">​</span>https://phabricator.wikimedia.org/T74222</a> </li></ul><h2 id="Bugfixes">Bugfixes</h2> <ul><li>(bug 71621) Make allowing site-wide styles on restricted special pages a config option. <a class="ext-link" href="https://phabricator.wikimedia.org/T73621"><span class="icon">​</span>https://phabricator.wikimedia.org/T73621</a> </li></ul><ul><li>(bug 42723) Added updated version history from 1.19.2 to 1.22.13 <a class="ext-link" href="https://phabricator.wikimedia.org/T44723"><span class="icon">​</span>https://phabricator.wikimedia.org/T44723</a> </li></ul><ul><li>$wgMangleFlashPolicy was added to make <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a>'s mangling of anything that might be a flash policy directive configurable. </li></ul><p> Full release notes for 1.23.7: <a class="ext-link" href="https://www.mediawiki.org/wiki/Release_notes/1.23"><span class="icon">​</span>https://www.mediawiki.org/wiki/Release_notes/1.23</a> </p> </blockquote> en-us Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/813 Trac 0.12.5 chris Thu, 27 Nov 2014 14:55:07 GMT hours, status, totalhours changed; resolution set http://localhost:8080/trac/ticket/813#comment:1 http://localhost:8080/trac/ticket/813#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> </ul> <p> Following the <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki#Updates">wiki:MediaWiki#Updates</a> notes: </p> <pre class="wiki">sudo -i cd /web/wiki.transitionnetwork.org export MW="1.23.7" wget http://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz wget http://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig gpg --verify mediawiki-$MW.tar.gz.sig tar -zxvf mediawiki-$MW.tar.gz rsync -av mediawiki-$MW/ www/ chown root:root -R www/ chown -R www-data:www-data www/cache/ chown -R www-data:www-data www/images/ cd www/maintenance/ php update.php cd /web/wiki.transitionnetwork.org rm mediawiki-$MW.tar.gz mediawiki-$MW.tar.gz.sig rm -rf mediawiki-$MW </pre><p> Checked ​<a class="ext-link" href="https://wiki.transitionnetwork.org/Special:Version"><span class="icon">​</span>https://wiki.transitionnetwork.org/Special:Version</a> </p> Ticket