Looks like we'd better upgrade Mediawiki again. :) + Justin
Begin forwarded message: > From: Chris Steipp <[email protected]> > Subject: [MediaWiki-announce] MediaWiki Security and Maintenance Releases: > 1.19.24, 1.23.9, and 1.24.2 > Date: 31 March 2015 22:20:09 BST > To: [email protected], Wikimedia developers > <[email protected]>, MediaWiki-l > <[email protected]>, [email protected] > > I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and > 1.19.24. These releases fix 10 security issues, in addition to other bug > fixes. Download links are given at the end of this email. > > > == Security fixes == > > * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for > embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed > JavaScript in the SVG. The issue was additionally identified by Mario > Heiderich / Cure53. MIME types are now whitelisted. > <https://phabricator.wikimedia.org/T85850> > > * MediaWiki user Bawolff pointed out that the SVG filter to prevent > injecting JavaScript using animate elements was incorrect. > <https://phabricator.wikimedia.org/T86711> > > * MediaWiki user Bawolff reported a stored XSS vulnerability due to the way > attributes were expanded in MediaWiki's Html class, in combination with > LanguageConverter substitutions. > <https://phabricator.wikimedia.org/T73394> > > * Internal review discovered that MediaWiki's SVG filtering could be > bypassed with entity encoding under the Zend interpreter. This could be > used to inject JavaScript. This issue was also discovered by Mario Gomes > from Beyond Security. > <https://phabricator.wikimedia.org/T88310> > > * iSEC Partners discovered a XSS vulnerability in the way api errors were > reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). > MediaWiki now detects and mitigates this issue on older versions of HHVM. > <https://phabricator.wikimedia.org/T85851> > > * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that > MediaWiki versions using PBKDF2 for password hashing (the default since > 1.24) are vulnerable to DoS attacks using extremely long passwords. > <https://phabricator.wikimedia.org/T64685> > > * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running > under HHVM, was susceptible to "Billion Laughs" DoS attacks > (iSEC-WMF1214-13). > <https://phabricator.wikimedia.org/T85848> > > * Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" > DoS attacks, under both HHVM and Zend PHP. > <https://phabricator.wikimedia.org/T71210> > > * iSEC Partners discovered a way to bypass the style filtering for SVG > files (iSEC-WMF1214-3). This could violate the anonymity of users viewing > the SVG. > <https://phabricator.wikimedia.org/T85349> > > * iSEC Partners reported that the MediaWiki feature allowing a user to > preview another user's custom JavaScript could be abused for privilege > escalation (iSEC-WMF1214-10). This feature has been removed. > <https://phabricator.wikimedia.org/T85855> > > > Additionally, the following extensions have been updated to fix security > issues: > > * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function > names were not sanitized in Lua error backtraces, which could lead to XSS. > <https://phabricator.wikimedia.org/T85113> > > * Extension:CheckUser - iSEC Partners discovered that the CheckUser > extension did not prevent CSRF attacks on the form allowing checkusers to > look up sensitive information about other users (iSEC-WMF1214-6). Since the > use of CheckUser is logged, the CSRF could be abused to defame a trusted > user or flood the logs with noise. > <https://phabricator.wikimedia.org/T85858> > > > == Bug fixes == > > === 1.24 === > > * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to > fix loading these special pages when $wgAutoloadAttemptLowercase is false. > * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema > change and running update.php to fix. > > == 1.23 & 1.24 == > > * (bug T70087) Fix Special:ActiveUsers page for installations using > PostgreSQL. > > > ********************************************************************** > > Full release notes: > https://www.mediawiki.org/wiki/Release_notes/1.24 > https://www.mediawiki.org/wiki/Release_notes/1.23 > https://www.mediawiki.org/wiki/Release_notes/1.19 > > Download: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz > > Patch to previous version: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig > > Extensions: > http://www.mediawiki.org/wiki/Extension:Scribunto > http://www.mediawiki.org/wiki/Extension:CheckUser > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ > MediaWiki announcements mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce -- GlusterFS - http://www.gluster.org An open source, distributed file system scaling to several petabytes, and handling thousands of clients. My personal twitter: twitter.com/realjustinclift _______________________________________________ Gluster-infra mailing list [email protected] http://www.gluster.org/mailman/listinfo/gluster-infra
