There's a new MediaWiki security release, can someone tweet/plus/whatever the following message (probably from just the MediaWiki accounts, not Wikipedia or Wikimedia):
MediaWiki security release (1.19.24, 1.23.9, and 1.24.2) now available! https://www.mediawiki.org/wiki/Download
Thanks!
----- Forwarded message from Chris Steipp csteipp@wikimedia.org -----
Date: Tue, 31 Mar 2015 14:20:09 -0700 From: Chris Steipp csteipp@wikimedia.org To: mediawiki-announce@lists.wikimedia.org, Wikimedia developers wikitech-l@lists.wikimedia.org, MediaWiki-l mediawiki-l@lists.wikimedia.org, mediawiki-enterprise@lists.wikimedia.org Subject: [Wikitech-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2 Reply-To: Wikimedia developers wikitech-l@lists.wikimedia.org
I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.
== Security fixes ==
- iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. https://phabricator.wikimedia.org/T85850
- MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect. https://phabricator.wikimedia.org/T86711
- MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions. https://phabricator.wikimedia.org/T73394
- Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. https://phabricator.wikimedia.org/T88310
- iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now detects and mitigates this issue on older versions of HHVM. https://phabricator.wikimedia.org/T85851
- Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. https://phabricator.wikimedia.org/T64685
- iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). https://phabricator.wikimedia.org/T85848
- Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP. https://phabricator.wikimedia.org/T71210
- iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. https://phabricator.wikimedia.org/T85349
- iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. https://phabricator.wikimedia.org/T85855
Additionally, the following extensions have been updated to fix security issues:
- Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
- Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858
== Bug fixes ==
=== 1.24 ===
- Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
fix loading these special pages when $wgAutoloadAttemptLowercase is false.
- (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
change and running update.php to fix.
== 1.23 & 1.24 ==
- (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.
Full release notes: https://www.mediawiki.org/wiki/Release_notes/1.24 https://www.mediawiki.org/wiki/Release_notes/1.23 https://www.mediawiki.org/wiki/Release_notes/1.19
Download: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
Patch to previous version: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
Extensions: http://www.mediawiki.org/wiki/Extension:Scribunto http://www.mediawiki.org/wiki/Extension:CheckUser
Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
----- End forwarded message -----
Done
On Tue, Mar 31, 2015 at 2:30 PM, Greg Grossmeier greg@wikimedia.org wrote:
There's a new MediaWiki security release, can someone tweet/plus/whatever the following message (probably from just the MediaWiki accounts, not Wikipedia or Wikimedia):
MediaWiki security release (1.19.24, 1.23.9, and 1.24.2) now available! https://www.mediawiki.org/wiki/Download
Thanks!
----- Forwarded message from Chris Steipp csteipp@wikimedia.org -----
Date: Tue, 31 Mar 2015 14:20:09 -0700 From: Chris Steipp csteipp@wikimedia.org To: mediawiki-announce@lists.wikimedia.org, Wikimedia developers wikitech-l@lists.wikimedia.org, MediaWiki-l mediawiki-l@lists.wikimedia.org, mediawiki-enterprise@lists.wikimedia.org Subject: [Wikitech-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2 Reply-To: Wikimedia developers wikitech-l@lists.wikimedia.org
I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.
== Security fixes ==
- iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. https://phabricator.wikimedia.org/T85850
- MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect. https://phabricator.wikimedia.org/T86711
- MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions. https://phabricator.wikimedia.org/T73394
- Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. https://phabricator.wikimedia.org/T88310
- iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now detects and mitigates this issue on older versions of HHVM. https://phabricator.wikimedia.org/T85851
- Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. https://phabricator.wikimedia.org/T64685
- iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). https://phabricator.wikimedia.org/T85848
- Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP. https://phabricator.wikimedia.org/T71210
- iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. https://phabricator.wikimedia.org/T85349
- iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. https://phabricator.wikimedia.org/T85855
Additionally, the following extensions have been updated to fix security issues:
- Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
- Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858
== Bug fixes ==
=== 1.24 ===
- Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
fix loading these special pages when $wgAutoloadAttemptLowercase is false.
- (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
change and running update.php to fix.
== 1.23 & 1.24 ==
- (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.
Full release notes: https://www.mediawiki.org/wiki/Release_notes/1.24 https://www.mediawiki.org/wiki/Release_notes/1.23 https://www.mediawiki.org/wiki/Release_notes/1.19
Download: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
Patch to previous version: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
Extensions: http://www.mediawiki.org/wiki/Extension:Scribunto http://www.mediawiki.org/wiki/Extension:CheckUser
Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
----- End forwarded message -----
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
Social-media mailing list Social-media@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/social-media
social-media@lists.wikimedia.org