Hello,
Just a clarification: MediaWiki-Vagrant~[1] users should run `vagrant
git-update` to update to the latest version. This is especially relevant
for users running it on publicly-accessible hosts and having any of the
following roles enabled:
- visualeditor
- restbase
- parsoid
Cheers,
Marko Obrovac, PhD
Senior Services Engineer
Wikimedia Foundation
[1]
https://www.mediawiki.org/wiki/MediaWiki-Vagrant
On 20 January 2016 at 11:20, Gabriel Wicke <gwicke(a)wikimedia.org> wrote:
A vulnerability has been found in RESTBase v0.9.1 and
earlier that
allowed attackers to read arbitrary files on the host system by
passing a specially crafted URL. This vulnerability has been fixed in
[1].
All RESTBase users are strongly encouraged to upgrade to v0.9.2
immediately. Files readable by the RESTBase service user might have
been accessed by third parties, so appropriate measures should be
taken.
mediawiki-containers [2] users with automatic updates enabled have
already been upgraded to v0.9.2.
--
Gabriel Wicke
Principal Engineer, Wikimedia Foundation
[1]:
https://github.com/wikimedia/restbase/commit/1ea649306ae4e85ab2cee5a36318e9…
[2]:
https://github.com/wikimedia/mediawiki-containers
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l