Hello, Just a clarification: MediaWiki-Vagrant~[1] users should run `vagrant git-update` to update to the latest version. This is especially relevant for users running it on publicly-accessible hosts and having any of the following roles enabled:
- visualeditor - restbase - parsoid Cheers, Marko Obrovac, PhD Senior Services Engineer Wikimedia Foundation [1] https://www.mediawiki.org/wiki/MediaWiki-Vagrant On 20 January 2016 at 11:20, Gabriel Wicke <[email protected]> wrote: > A vulnerability has been found in RESTBase v0.9.1 and earlier that > allowed attackers to read arbitrary files on the host system by > passing a specially crafted URL. This vulnerability has been fixed in > [1]. > > All RESTBase users are strongly encouraged to upgrade to v0.9.2 > immediately. Files readable by the RESTBase service user might have > been accessed by third parties, so appropriate measures should be > taken. > > mediawiki-containers [2] users with automatic updates enabled have > already been upgraded to v0.9.2. > > -- > Gabriel Wicke > Principal Engineer, Wikimedia Foundation > > [1]: > https://github.com/wikimedia/restbase/commit/1ea649306ae4e85ab2cee5a36318e990a4fca3f5 > [2]: https://github.com/wikimedia/mediawiki-containers > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
