Chris, There might be something wrong with the mediawiki-1.23.9.patch file. I've been using the patches to do point-release upgrades for quite a while, and this is the first time I've seen something like this:
$ patch -p 1 --dry-run < mediawiki-1.23.9.patch patching file Gruntfile.js patching file includes/DefaultSettings.php patching file includes/EditPage.php patching file includes/Html.php patching file includes/libs/XmlTypeCheck.php patching file includes/media/BitmapMetadataHandler.php patching file includes/media/JpegMetadataExtractor.php patching file includes/media/XMP.php patching file includes/OutputPage.php patching file includes/specials/SpecialActiveusers.php patching file includes/specials/SpecialJavaScriptTest.php patching file includes/upload/UploadBase.php patching file includes/Xml.php patching file jsduck.json patching file languages/i18n/en.json patching file languages/i18n/qqq.json patching file maintenance/jsduck/config.json patching file maintenance/jsduck/MetaTags.rb patching file maintenance/mwjsduck-gen patching file RELEASE-NOTES-1.23 patching file resources/Resources.php patching file resources/src/jquery/jquery.badge.css patching file resources/src/mediawiki.special/mediawiki.special.javaScriptTest.js The next patch would delete the file tests/frontend/Gruntfile.js, which does not exist! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored can't find file to patch at input line 1472 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.23.8/tests/parser/parserTests.txt mediawiki-1.23.9/tests/parser/parserTests.txt |--- mediawiki-1.23.8/tests/parser/parserTests.txt 2015-03-31 13:11:11.000000000 +0000 |+++ mediawiki-1.23.9/tests/parser/parserTests.txt 2015-03-31 13:10:49.000000000 +0000 -------------------------- File to patch: ^C I ctrl-c'ed out here. Larry Silverman Chief Technology Officer TrackAbout, Inc. On Tue, Mar 31, 2015 at 4:20 PM, Chris Steipp <[email protected]> wrote: > I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and > 1.19.24. These releases fix 10 security issues, in addition to other bug > fixes. Download links are given at the end of this email. > > > == Security fixes == > > * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for > embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed > JavaScript in the SVG. The issue was additionally identified by Mario > Heiderich / Cure53. MIME types are now whitelisted. > <https://phabricator.wikimedia.org/T85850> > > * MediaWiki user Bawolff pointed out that the SVG filter to prevent > injecting JavaScript using animate elements was incorrect. > <https://phabricator.wikimedia.org/T86711> > > * MediaWiki user Bawolff reported a stored XSS vulnerability due to the way > attributes were expanded in MediaWiki's Html class, in combination with > LanguageConverter substitutions. > <https://phabricator.wikimedia.org/T73394> > > * Internal review discovered that MediaWiki's SVG filtering could be > bypassed with entity encoding under the Zend interpreter. This could be > used to inject JavaScript. This issue was also discovered by Mario Gomes > from Beyond Security. > <https://phabricator.wikimedia.org/T88310> > > * iSEC Partners discovered a XSS vulnerability in the way api errors were > reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). > MediaWiki now detects and mitigates this issue on older versions of HHVM. > <https://phabricator.wikimedia.org/T85851> > > * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that > MediaWiki versions using PBKDF2 for password hashing (the default since > 1.24) are vulnerable to DoS attacks using extremely long passwords. > <https://phabricator.wikimedia.org/T64685> > > * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running > under HHVM, was susceptible to "Billion Laughs" DoS attacks > (iSEC-WMF1214-13). > <https://phabricator.wikimedia.org/T85848> > > * Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" > DoS attacks, under both HHVM and Zend PHP. > <https://phabricator.wikimedia.org/T71210> > > * iSEC Partners discovered a way to bypass the style filtering for SVG > files (iSEC-WMF1214-3). This could violate the anonymity of users viewing > the SVG. > <https://phabricator.wikimedia.org/T85349> > > * iSEC Partners reported that the MediaWiki feature allowing a user to > preview another user's custom JavaScript could be abused for privilege > escalation (iSEC-WMF1214-10). This feature has been removed. > <https://phabricator.wikimedia.org/T85855> > > > Additionally, the following extensions have been updated to fix security > issues: > > * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function > names were not sanitized in Lua error backtraces, which could lead to XSS. > <https://phabricator.wikimedia.org/T85113> > > * Extension:CheckUser - iSEC Partners discovered that the CheckUser > extension did not prevent CSRF attacks on the form allowing checkusers to > look up sensitive information about other users (iSEC-WMF1214-6). Since the > use of CheckUser is logged, the CSRF could be abused to defame a trusted > user or flood the logs with noise. > <https://phabricator.wikimedia.org/T85858> > > > == Bug fixes == > > === 1.24 === > > * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to > fix loading these special pages when $wgAutoloadAttemptLowercase is false. > * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema > change and running update.php to fix. > > == 1.23 & 1.24 == > > * (bug T70087) Fix Special:ActiveUsers page for installations using > PostgreSQL. > > > ********************************************************************** > > Full release notes: > https://www.mediawiki.org/wiki/Release_notes/1.24 > https://www.mediawiki.org/wiki/Release_notes/1.23 > https://www.mediawiki.org/wiki/Release_notes/1.19 > > Download: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz > > Patch to previous version: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig > > Extensions: > http://www.mediawiki.org/wiki/Extension:Scribunto > http://www.mediawiki.org/wiki/Extension:CheckUser > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
