http://localhost:8080/trac/ticket/841 <p> Email on <a class="ext-link" href="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html"><span class="icon">​</span>the announcements list</a>: </p> <blockquote class="citation"> <p> I would like to announce the release of <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email. </p> <h2 id="Securityfixes">Security fixes</h2> <ul><li>iSEC Partners discovered a way to circumvent the SVG MIME blacklist for embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. <a class="ext-link" href="https://phabricator.wikimedia.org/T85850"><span class="icon">​</span>https://phabricator.wikimedia.org/T85850</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> user Bawolff pointed out that the SVG filter to prevent injecting JavaScript using animate elements was incorrect. <a class="ext-link" href="https://phabricator.wikimedia.org/T86711"><span class="icon">​</span>https://phabricator.wikimedia.org/T86711</a> </li><li><a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> user Bawolff reported a stored XSS vulnerability due to the way attributes were expanded in <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a>'s Html class, in combination with LanguageConverter substitutions. <a class="ext-link" href="https://phabricator.wikimedia.org/T73394"><span class="icon">​</span>https://phabricator.wikimedia.org/T73394</a> </li><li>Internal review discovered that <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a>'s SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. <a class="ext-link" href="https://phabricator.wikimedia.org/T88310"><span class="icon">​</span>https://phabricator.wikimedia.org/T88310</a> </li><li>iSEC Partners discovered a XSS vulnerability in the way api errors were reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> now detects and mitigates this issue on older versions of HHVM. <a class="ext-link" href="https://phabricator.wikimedia.org/T85851"><span class="icon">​</span>https://phabricator.wikimedia.org/T85851</a> </li><li>Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. <a class="ext-link" href="https://phabricator.wikimedia.org/T64685"><span class="icon">​</span>https://phabricator.wikimedia.org/T64685</a> </li><li>iSEC Partners discovered that <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a>'s SVG and XMP parsing, running under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). <a class="ext-link" href="https://phabricator.wikimedia.org/T85848"><span class="icon">​</span>https://phabricator.wikimedia.org/T85848</a> </li><li>Internal review found that <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> is vulnerable to "Quadratic Blowup" DoS attacks, under both HHVM and Zend PHP. <a class="ext-link" href="https://phabricator.wikimedia.org/T71210"><span class="icon">​</span>https://phabricator.wikimedia.org/T71210</a> </li><li>iSEC Partners discovered a way to bypass the style filtering for SVG files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. <a class="ext-link" href="https://phabricator.wikimedia.org/T85349"><span class="icon">​</span>https://phabricator.wikimedia.org/T85349</a> </li><li>iSEC Partners reported that the <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. <a class="ext-link" href="https://phabricator.wikimedia.org/T85855"><span class="icon">​</span>https://phabricator.wikimedia.org/T85855</a> </li></ul><p> Additionally, the following extensions have been updated to fix security issues: </p> <ul><li>Extension:Scribunto - <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki">MediaWiki</a> user Jackmcbarn discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS. <a class="ext-link" href="https://phabricator.wikimedia.org/T85113"><span class="icon">​</span>https://phabricator.wikimedia.org/T85113</a> </li><li>Extension:!CheckUser - iSEC Partners discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. <a class="ext-link" href="https://phabricator.wikimedia.org/T85858"><span class="icon">​</span>https://phabricator.wikimedia.org/T85858</a> </li></ul><h2 id="Bugfixes">Bug fixes</h2> <h3 id="a1.24">1.24</h3> <ul><li>Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false. </li><li>(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix. </li></ul><h3 id="a1.231.24">1.23 &amp; 1.24</h3> <ul><li>(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. </li></ul><hr /> <p> Full release notes: </p> <ul><li><a class="ext-link" href="https://www.mediawiki.org/wiki/Release_notes/1.24"><span class="icon">​</span>https://www.mediawiki.org/wiki/Release_notes/1.24</a> </li><li><a class="ext-link" href="https://www.mediawiki.org/wiki/Release_notes/1.23"><span class="icon">​</span>https://www.mediawiki.org/wiki/Release_notes/1.23</a> </li><li><a class="ext-link" href="https://www.mediawiki.org/wiki/Release_notes/1.19"><span class="icon">​</span>https://www.mediawiki.org/wiki/Release_notes/1.19</a> </li></ul><p> Download: </p> <ul><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz</a> </li></ul><p> Patch to previous version: </p> <ul><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz</a> </li></ul><p> GPG signatures: </p> <ul><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig</a> </li><li><a class="ext-link" href="http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig"><span class="icon">​</span>http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig</a> </li></ul><p> Extensions: </p> <ul><li><a class="ext-link" href="http://www.mediawiki.org/wiki/Extension:Scribunto"><span class="icon">​</span>http://www.mediawiki.org/wiki/Extension:Scribunto</a> </li><li><a class="ext-link" href="http://www.mediawiki.org/wiki/Extension:CheckUser"><span class="icon">​</span>http://www.mediawiki.org/wiki/Extension:CheckUser</a> </li></ul><p> Public keys: </p> <ul><li><a class="ext-link" href="https://www.mediawiki.org/keys/keys.html"><span class="icon">​</span>https://www.mediawiki.org/keys/keys.html</a> </li></ul></blockquote> en-us /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/841 Trac 0.12.5 chris Wed, 01 Apr 2015 20:59:13 GMT http://localhost:8080/trac/ticket/841#comment:1 http://localhost:8080/trac/ticket/841#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> </ul> <p> Following the <a class="wiki" href="http://localhost:8080/trac/wiki/MediaWiki#Updates">wiki:MediaWiki#Updates</a> notes: </p> <pre class="wiki">sudo -i cd /web/wiki.transitionnetwork.org export MW="1.23.9" wget https://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz -O mediawiki-$MW.tar.gz wget https://releases.wikimedia.org/mediawiki/1.23/mediawiki-$MW.tar.gz.sig -O mediawiki-$MW.tar.gz.sig gpg --verify mediawiki-$MW.tar.gz.sig gpg: Signature made Tue Mar 31 18:57:22 2015 BST using DSA key ID 62D84F01 gpg: Good signature from "Chris Steipp &lt;csteipp@wikimedia.org&gt;" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1624 32D9 E81C 1C61 8B30 1EEC EE1F 6634 62D8 4F01 tar -zxvf mediawiki-$MW.tar.gz rsync -av mediawiki-$MW/ www/ chown root:root -R www/ chown -R www-data:www-data www/cache/ chown -R www-data:www-data www/images/ cd www/maintenance/ php update.php cd /web/wiki.transitionnetwork.org rm mediawiki-$MW.tar.gz mediawiki-$MW.tar.gz.sig rm -rf mediawiki-$MW </pre><p> Checked the site is working and the version via <a class="ext-link" href="https://wiki.transitionnetwork.org/Special:Version"><span class="icon">​</span>https://wiki.transitionnetwork.org/Special:Version</a> all is good, closing. </p> Ticket chris Wed, 01 Apr 2015 21:01:34 GMT http://localhost:8080/trac/ticket/841#comment:2 http://localhost:8080/trac/ticket/841#comment:2 <ul> <li><strong>status</strong> changed from <em>closed</em> to <em>reopened</em> </li> <li><strong>resolution</strong> <em>fixed</em> deleted </li> </ul> <p> Sorry the VisualEditor is generating this error: </p> <blockquote class="citation"> <p> Error loading data from server: parsoidserver-http-request-error: MWHttpRequest error. Would you like to retry? </p> </blockquote> <p> When testing the "edit" link from the <a class="ext-link" href="https://wiki.transitionnetwork.org/Sandbox"><span class="icon">​</span>https://wiki.transitionnetwork.org/Sandbox</a> page... investigating... </p> Ticket chris Wed, 01 Apr 2015 21:17:51 GMT http://localhost:8080/trac/ticket/841#comment:3 http://localhost:8080/trac/ticket/841#comment:3 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> <li><strong>totalhours</strong> changed from <em>0.25</em> to <em>0.5</em> </li> </ul> <p> For some reason Parsiod settings for the external Parsoid instance, see <a class="ext-link" href="https://docs.webarch.net/wiki/MediaWiki#VisualEditor"><span class="icon">​</span>https://docs.webarch.net/wiki/MediaWiki#VisualEditor</a> in LocalSettings.php which were documented as being changed on <a class="closed ticket" href="http://localhost:8080/trac/ticket/799#comment:11" title="maintenance: MediaWiki Visual Editor broken from Parsoid update (closed: fixed)">ticket:799#comment:11</a> appear to have not been changed, these things needed changing: </p> <pre class="wiki">$wgVisualEditorParsoidURL = 'http://parsoid.webarch.net:8142'; $wgVisualEditorParsoidPrefix = 'wiki.transitionnetwork.org'; //require_once("$IP/extensions/Parsoid/Parsoid.php"); </pre><p> I also checked to see if the VisualEditor needed updating, it didn't. </p> <pre class="wiki">cd /web/wiki.transitionnetwork.org/www/extensions/VisualEditor git pull </pre><p> And the VisualEditor is now working fine, so closing again. </p> Ticket chris Wed, 01 Apr 2015 21:25:07 GMT http://localhost:8080/trac/ticket/841#comment:4 http://localhost:8080/trac/ticket/841#comment:4 <ul> <li><strong>status</strong> changed from <em>reopened</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> Ticket