Hello,

Just a clarification: MediaWiki-Vagrant~[1] users should run `vagrant git-update` to update to the latest version. This is especially relevant for users running it on publicly-accessible hosts and having any of the following roles enabled:

- visualeditor

- restbase

- parsoid

Cheers,

Marko Obrovac, PhD

Senior Services Engineer

Wikimedia Foundation

[1] https://www.mediawiki.org/wiki/MediaWiki-Vagrant

On 20 January 2016 at 11:20, Gabriel Wicke <gwicke@wikimedia.org> wrote:

A vulnerability has been found in RESTBase v0.9.1 and earlier that
allowed attackers to read arbitrary files on the host system by
passing a specially crafted URL. This vulnerability has been fixed in
[1].

All RESTBase users are strongly encouraged to upgrade to v0.9.2
immediately. Files readable by the RESTBase service user might have
been accessed by third parties, so appropriate measures should be
taken.

mediawiki-containers [2] users with automatic updates enabled have
already been upgraded to v0.9.2.

--
Gabriel Wicke
Principal Engineer, Wikimedia Foundation

[1]: https://github.com/wikimedia/restbase/commit/1ea649306ae4e85ab2cee5a36318e990a4fca3f5
[2]: https://github.com/wikimedia/mediawiki-containers

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l