Ticket #841 (closed maintenance: fixed)

Opened 20 months ago

Last modified 20 months ago

Mediawiki 1.23.9

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Mediawiki Keywords:
Cc: ade Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.5


Email on the announcements list:

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.

Security fixes

Additionally, the following extensions have been updated to fix security issues:

  • Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
  • Extension:!CheckUser - iSEC Partners discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858

Bug fixes


  • Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
  • (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

1.23 & 1.24

  • (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Full release notes:


Patch to previous version:

GPG signatures:


Public keys:

Change History

comment:1 Changed 20 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.0 to 0.25

Following the wiki:MediaWiki#Updates notes:

sudo -i
cd /web/wiki.transitionnetwork.org
export MW="1.23.9"
wget https://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz
wget https://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig
  gpg --verify mediawiki-$MW.tar.gz.sig 
  gpg: Signature made Tue Mar 31 18:57:22 2015 BST using DSA key ID 62D84F01
  gpg: Good signature from "Chris Steipp <csteipp@wikimedia.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 1624 32D9 E81C 1C61 8B30  1EEC EE1F 6634 62D8 4F01
tar -zxvf mediawiki-$MW.tar.gz
rsync -av mediawiki-$MW/ www/
chown root:root -R www/
chown -R www-data:www-data www/cache/
chown -R www-data:www-data www/images/
cd www/maintenance/
php update.php 
cd /web/wiki.transitionnetwork.org
rm mediawiki-$MW.tar.gz mediawiki-$MW.tar.gz.sig
rm -rf mediawiki-$MW

Checked the site is working and the version via https://wiki.transitionnetwork.org/Special:Version all is good, closing.

comment:2 Changed 20 months ago by chris

  • Status changed from closed to reopened
  • Resolution fixed deleted

Sorry the VisualEditor is generating this error:

Error loading data from server: parsoidserver-http-request-error: MWHttpRequest error. Would you like to retry?

When testing the "edit" link from the https://wiki.transitionnetwork.org/Sandbox page... investigating...

comment:3 Changed 20 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.25 to 0.5

For some reason Parsiod settings for the external Parsoid instance, see https://docs.webarch.net/wiki/MediaWiki#VisualEditor in LocalSettings.php which were documented as being changed on ticket:799#comment:11 appear to have not been changed, these things needed changing:

$wgVisualEditorParsoidURL = 'http://parsoid.webarch.net:8142';

$wgVisualEditorParsoidPrefix = 'wiki.transitionnetwork.org';


I also checked to see if the VisualEditor needed updating, it didn't.

cd /web/wiki.transitionnetwork.org/www/extensions/VisualEditor
git pull

And the VisualEditor is now working fine, so closing again.

comment:4 Changed 20 months ago by chris

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.