Hello everyone,
I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 == * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
== Bugfixes == * (bug T74222) The original patch for T74222 was reverted as unnecessary. * Fixed a couple of entries in RELEASE-NOTES-1.24. * (bug T76168) OutputPage: Add accessors for some protected properties. * (bug T74834) Make 1.24 branch directly installable under PostgreSQL. * Add missing $ in front of variable in OutputPage.php
== Security fixes in extensions == * (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters. * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches. * (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts. * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
Full release notes for 1.24.1: https://www.mediawiki.org/wiki/Release_notes/1.24
Full release notes for 1.23.8: https://www.mediawiki.org/wiki/Release_notes/1.23
Full release notes for 1.22.15: https://www.mediawiki.org/wiki/Release_notes/1.22
Full release notes for 1.19.23: https://www.mediawiki.org/wiki/Release_notes/1.19
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.24.1 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz
Patch to previous version (1.24.0): https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.1.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz.sig
********************************************************************** 1.23.8 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz
Patch to previous version (1.23.7): https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.8.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz.sig
********************************************************************** 1.22.15 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz
Patch to previous version (1.22.14): https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.15.tar.gz.... https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz.sig
********************************************************************** 1.19.23 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz
Patch to previous version (1.19.22): https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.23.tar.gz.... https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz.sig
Markus Glaser (Wiki Release Team)
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is
required to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's included on many more pages. Not to mention the whole MediaWiki:Common.js thing)
--bawolff
On Thu, 18 Dec 2014 07:44:59 +0100, Brian Wolff bawolff@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw
HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's included on many more pages. Not to mention the whole MediaWiki:Common.js thing)
Indeed, it seems to me that the meaning of "security bug" has been inflated somewhat recently.
On 18 Dec 2014, at 06:44, Brian Wolff bawolff@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's included on many more pages. Not to mention the whole MediaWiki:Common.js thing)
--bawolff
Not entirely. Unlike message "copyright", the message used on thumb.php ("badtitletext") is not a "raw html" message. It is meant to be parsed and displayed regularly. And always was. Except it was re-used for thumb.php, and forgotten to be parsed there. I won't go into details, but it's exploitable under the right circumstances.
-- Krinkle
Not entirely. Unlike message "copyright", the message used on thumb.php ("badtitletext") is not a "raw html" message. It is meant to be parsed and displayed regularly. And always was. Except it was re-used for thumb.php, and forgotten to be parsed there. I won't go into details, but it's exploitable under the right circumstances.
-- Krinkle
I don't disagree that its a bug, but in order to exploit user would have to: *Convince user to go rather obscure thumb.php page *already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil malicious user just insert javascript on the normal page everyone is looking at. That's both more effective, and probably less noticeable. Thus I don't see how it exposes any new security issues that aren't already present. Of course I may simply just be missing the nature of the "circumstances" that you reference in your comment.
--bawolff
p.s. Given there is now a fix released, I think its important to be able to have frank discussions about security issues. After all, the best way to prevent future security issues is to make sure everyone understands the past issues, so that people don't make the same mistake again.
On 18 Dec 2014, at 09:01, Brian Wolff bawolff@gmail.com wrote:
I don't disagree that its a bug, but in order to exploit user would have to: *Convince user to go rather obscure thumb.php page *already have the ability to add javascript to any page on wiki
In which case, why wouldn't evil malicious user just insert javascript on the normal page everyone is looking at. That's both more effective, and probably less noticeable. Thus I don't see how it exposes any new security issues that aren't already present. Of course I may simply just be missing the nature of the "circumstances" that you reference in your comment.
--bawolff
p.s. Given there is now a fix released, I think its important to be able to have frank discussions about security issues. After all, the best way to prevent future security issues is to make sure everyone understands the past issues, so that people don't make the same mistake again.
The circumstances I meant do not involve an administrator with malicious intent.
I agree they should be disclosed, but this particular issue aside, I don't think we should publicly discuss the full HowTo, yet. It's too soon after release.
CVE applies a very strict policy on that as well (maybe too strict). And the same at other trackers, and tech organisations. Feel free to ask me on IRC or elsewhere in private, though.
— Krinkle
wikitech-l@lists.wikimedia.org