[Gluster-infra] Fwd: [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2
Justin Clift
justin at gluster.org
Tue Mar 31 23:45:50 UTC 2015
Looks like we'd better upgrade Mediawiki again. :)
+ Justin
Begin forwarded message:
> From: Chris Steipp <csteipp at wikimedia.org>
> Subject: [MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2
> Date: 31 March 2015 22:20:09 BST
> To: mediawiki-announce at lists.wikimedia.org, Wikimedia developers <wikitech-l at lists.wikimedia.org>, MediaWiki-l <mediawiki-l at lists.wikimedia.org>, mediawiki-enterprise at lists.wikimedia.org
>
> I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and
> 1.19.24. These releases fix 10 security issues, in addition to other bug
> fixes. Download links are given at the end of this email.
>
>
> == Security fixes ==
>
> * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
> embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
> JavaScript in the SVG. The issue was additionally identified by Mario
> Heiderich / Cure53. MIME types are now whitelisted.
> <https://phabricator.wikimedia.org/T85850>
>
> * MediaWiki user Bawolff pointed out that the SVG filter to prevent
> injecting JavaScript using animate elements was incorrect.
> <https://phabricator.wikimedia.org/T86711>
>
> * MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
> attributes were expanded in MediaWiki's Html class, in combination with
> LanguageConverter substitutions.
> <https://phabricator.wikimedia.org/T73394>
>
> * Internal review discovered that MediaWiki's SVG filtering could be
> bypassed with entity encoding under the Zend interpreter. This could be
> used to inject JavaScript. This issue was also discovered by Mario Gomes
> from Beyond Security.
> <https://phabricator.wikimedia.org/T88310>
>
> * iSEC Partners discovered a XSS vulnerability in the way api errors were
> reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
> MediaWiki now detects and mitigates this issue on older versions of HHVM.
> <https://phabricator.wikimedia.org/T85851>
>
> * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
> MediaWiki versions using PBKDF2 for password hashing (the default since
> 1.24) are vulnerable to DoS attacks using extremely long passwords.
> <https://phabricator.wikimedia.org/T64685>
>
> * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
> under HHVM, was susceptible to "Billion Laughs" DoS attacks
> (iSEC-WMF1214-13).
> <https://phabricator.wikimedia.org/T85848>
>
> * Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
> DoS attacks, under both HHVM and Zend PHP.
> <https://phabricator.wikimedia.org/T71210>
>
> * iSEC Partners discovered a way to bypass the style filtering for SVG
> files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
> the SVG.
> <https://phabricator.wikimedia.org/T85349>
>
> * iSEC Partners reported that the MediaWiki feature allowing a user to
> preview another user's custom JavaScript could be abused for privilege
> escalation (iSEC-WMF1214-10). This feature has been removed.
> <https://phabricator.wikimedia.org/T85855>
>
>
> Additionally, the following extensions have been updated to fix security
> issues:
>
> * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
> names were not sanitized in Lua error backtraces, which could lead to XSS.
> <https://phabricator.wikimedia.org/T85113>
>
> * Extension:CheckUser - iSEC Partners discovered that the CheckUser
> extension did not prevent CSRF attacks on the form allowing checkusers to
> look up sensitive information about other users (iSEC-WMF1214-6). Since the
> use of CheckUser is logged, the CSRF could be abused to defame a trusted
> user or flood the logs with noise.
> <https://phabricator.wikimedia.org/T85858>
>
>
> == Bug fixes ==
>
> === 1.24 ===
>
> * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
> fix loading these special pages when $wgAutoloadAttemptLowercase is false.
> * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
> change and running update.php to fix.
>
> == 1.23 & 1.24 ==
>
> * (bug T70087) Fix Special:ActiveUsers page for installations using
> PostgreSQL.
>
>
> **********************************************************************
>
> Full release notes:
> https://www.mediawiki.org/wiki/Release_notes/1.24
> https://www.mediawiki.org/wiki/Release_notes/1.23
> https://www.mediawiki.org/wiki/Release_notes/1.19
>
> Download:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
>
> Patch to previous version:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
>
> Extensions:
> http://www.mediawiki.org/wiki/Extension:Scribunto
> http://www.mediawiki.org/wiki/Extension:CheckUser
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
--
GlusterFS - http://www.gluster.org
An open source, distributed file system scaling to several
petabytes, and handling thousands of clients.
My personal twitter: twitter.com/realjustinclift
More information about the Gluster-infra
mailing list