Ticket #816 (closed maintenance: fixed)

Opened 2 years ago

Last modified 2 years ago

MediaWiki 1.23.8

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Mediawiki Keywords:
Cc: ed Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.25

Description

The announcement email:

I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.

Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23

  • (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
  • (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.

Bugfixes

  • (bug T74222) The original patch for T74222 was reverted as unnecessary.
  • Fixed a couple of entries in RELEASE-NOTES-1.24.
  • (bug T76168) OutputPage: Add accessors for some protected properties.
  • (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
  • Add missing $ in front of variable in OutputPage.php

Security fixes in extensions

  • (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
  • (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
  • (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
  • (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
  • (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
  • (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.

Full release notes for 1.23.8:
https://www.mediawiki.org/wiki/Release_notes/1.23

Change History

comment:1 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.0 to 0.25

Following the wiki:MediaWiki#Updates notes:

sudo -i
cd /web/wiki.transitionnetwork.org
export MW="1.23.8"
wget http://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz
wget http://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig
gpg --verify mediawiki-$MW.tar.gz.sig 
tar -zxvf mediawiki-$MW.tar.gz
rsync -av mediawiki-$MW/ www/
chown root:root -R www/
chown -R www-data:www-data www/cache/
chown -R www-data:www-data www/images/
cd www/maintenance/
php update.php 
cd /web/wiki.transitionnetwork.org
rm mediawiki-$MW.tar.gz mediawiki-$MW.tar.gz.sig
rm -rf mediawiki-$MW

The site was tested and all seems to be working fine so closing this ticket.

Note: See TracTickets for help on using tickets.