Hi,
With the release of MediaWiki 1.28, the lifetime of MediaWiki version
1.26.x has come to an end.
Users still using MediaWiki 1.26.x are advised to upgrade to version
1.28.0, the latest stable version.
-Chad
The parsing team has fixed a security bug in Parsoid [1].
* Users could send invalid prefixes, formats, or domains and run
javascript code on the error page that Parsoid displayed.
* This fix has been applied to the Wikimedia cluster [2] and also merged
into Parsoid master [1].
* We have also released a 0.5.3 deb version with this patch applied. [3]
* We have also released a 0.5.3 npm version of Parsoid. [4]
* Parsoid is a stateless service and doesn't retain any state between
requests. In private wikis, VisualEditor can be configured to
forward the user cookie to Parsoid to pass along to the MediaWiki API
to parse a page, but this exploit is not exposed through VE.
In addition, Parsoid doesn't receive any user credentials on
public wikis.
* However, if a wiki's Parsoid service is publicly accessible on the
internet *and* is accessible through the wiki's domain, then, this
exploit can be used to leak user cookies for that wiki. For all wikis
that use Parsoid in this fashion, we recommend they patch their
Parsoid installation immediately.
* On the Wikimedia cluster, Parsoid is proxied behind RESTBase and is
not public accessible and as such, this exploit wasn't available for
an exploit to steal user sessions.
Thanks to the reporter of this exploit, Darian Patrick from the
Security Team, Arlo Breault from the Parsing Team, Daniel Zahn and
others from Ops for their assistance handling this bug and preparing
this release.
Subramanya Sastry,
Technical Lead and Manager,
Parsing Team,
Wikimedia Foundation.
[1] https://gerrit.wikimedia.org/r/#/c/319115
[2]
https://www.mediawiki.org/wiki/Parsoid/Deployments#Monday.2C_October_31.2C_…
[3] https://releases.wikimedia.org/debian/pool/main/p/parsoid/
[4] https://www.npmjs.com/package/parsoid
A security bug [1] has been fixed in CentralAuth; the bug caused logouts to
silently fail if the local account on the central login wiki was
unattached. That does not happen under normal circumstances, so the
vulnerability can only be exposed if some other error causes attaching
accounts to fail; nevertheless you are advised to update your
installations. The fix has been backported to all supported versions (those
for MediaWiki 1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1] https://phabricator.wikimedia.org/T137551
Hi all,
a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user even if the user was locked or blocked from login (this
could be problematic when OAuth is used for authentication, such as with
the OAuthAuthentication [2] extension).
The fix has been backported to all supported versions (those for MediaWiki
1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1] https://phabricator.wikimedia.org/T148600
[2] https://www.mediawiki.org/wiki/Extension:OAuthAuthentication