Hello,
We would like to announce the following security and maintenance updates to the Wikibase 1.35 container image, which include fixes to severe security issues in MediaWiki and instructions for disabling features in ElasticSearch to mitigate the recently discovered log4shell vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228.
Here are links to important documentation related to the release, which include instructions for updating MediaWiki to 1.35.5 and a security fix for Wikibase:
-
MediaWiki release notes https://github.com/wikimedia/mediawiki/blob/REL1_35/RELEASE-NOTES-1.35 -
Wikibase release notes https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Wikibase/+/refs/heads/REL1_35/RELEASE-NOTES-1.35 -
Upgrade instructions https://github.com/wmde/wikibase-release-pipeline/blob/main/docs/topics/upgrading.md
If updating your Wikibase installation is not an option, please refer to these instructions on disabling the vulnerable code in MediaWiki in the recent security release announcement. https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
If you have any questions please feel free to ask on this mailing list or leave a comment at Talk:Wikibase/FAQ https://www.mediawiki.org/wiki/Talk:Wikibase/FAQ.
Cheers,
wikidata-tech@lists.wikimedia.org