On Fri, Jul 30, 2010 at 06:35, Tim Starling <tstarling(a)wikimedia.org> wrote:
However, the statistics presented by Qualys show that
an alarming
number of people are running versions of MediaWiki older than 1.14.1,
which was the most recent fix for an XSS vulnerability exploitable
without special privileges. There is certainly room for us to do better.
I haven't read all the documents, but have these researchers taken
into account backported fixes?
My gut feeling is that the "preference" for 1.12 is simply due to its
inclusion in Debian stable [1]. The maintainer seems to be actively
backporting security fixes [2], so while I agree that these versions
may enjoy less community support, they should not be considered broken
on the basis of the version number alone.
This, of course, unless it is certain that some vulnerabilities are
still present in the Debian version. If you are aware of the existence
of such a problem, I would recommend you contact
<security(a)debian.org>rg>. Otherwise, the situation might not be as
dangerous as it seems.
On the topic of facilitating upgrades: perhaps we should emphasize the
option to install and upgrade using SVN, which is probably very
convenient for users that are comfortable with the command line.
Moodle has this in the official documentation and I find it very
useful [3]. SVN could also be handy as the backend for a user-friendly
upgrade procedure, as it already deals with local modifications and
such.
[1]
http://packages.debian.org/search?keywords=mediawiki
[2]
http://packages.debian.org/changelogs/pool/main/m/mediawiki/mediawiki_1.12.…
[3]
http://docs.moodle.org/en/Upgrading#Using_CVS