The Parsing team at the Wikimedia Foundation that develops the Parsoid
service is deprecating support for node 0.1x. Parsoid is the service
that powers VisualEditor, Content Translation, and Flow. If you don't
run a MediaWiki install that uses VisualEditor, then this announcement
does not affect you.
Node 0.10 has reached end of life on October 31st, 2016 [1] and node
0.12 is scheduled to reach end of life December 31st, 2016 [1].
Yesterday, we released a 0.6.1 debian package [2] and a 0.6.1 npm
version of Parsoid [3]. This will be the last release that will have
node 0.1x support. We'll continue to provide any necessary critical bug
fixes and security fixes for the 0.6.1 release till March 31st 2017 and
will be completely dropping support for all node versions before node
v4.x starting April 2017.
If you are running a Parsoid service on your wiki and are still using
node 0.1x, please upgrade your node version by April 2017. The Wikimedia
cluster runs node v4.6 right now and will soon be upgraded to node v6.x
[4]. Parsoid has been tested with node 0.1x, node v4.x and node v6.x and
works with all these versions. However, we are dropping support for node
0.1x right away from the master branch of Parsoid. Going forward, the
Parsoid codebase will adopt ES6 features available in node v4.x and
higher which aren't supported in node 0.1x and will constitute a
breaking change.
Subramanya Sastry (Subbu),
Technical Lead and Manager,
Parsing Team,
Wikimedia Foundation.
[1] Node.js Long Term Support schedule @ https://github.com/nodejs/LTS
[2] https://www.mediawiki.org/wiki/Parsoid/Releases
[3] https://www.npmjs.com/package/parsoid
[4] https://phabricator.wikimedia.org/T149331
The parsing team has fixed a security bug in Parsoid [1].
* Users could send invalid prefixes, formats, or domains and run
javascript code on the error page that Parsoid displayed.
* This fix has been applied to the Wikimedia cluster [2] and also merged
into Parsoid master [1].
* We have also released a 0.5.3 deb version with this patch applied. [3]
* We have also released a 0.5.3 npm version of Parsoid. [4]
* Parsoid is a stateless service and doesn't retain any state between
requests. In private wikis, VisualEditor can be configured to
forward the user cookie to Parsoid to pass along to the MediaWiki API
to parse a page, but this exploit is not exposed through VE.
In addition, Parsoid doesn't receive any user credentials on public
wikis.
* However, if a wiki's Parsoid service is publicly accessible on the
internet
*and* is accessible through the wiki's domain, then, this exploit can be
used to leak user cookies for that wiki. For all wikis that use Parsoid
in this fashion, we recommend they patch their Parsoid installation
immediately.
* On the Wikimedia cluster, Parsoid is proxied behind RESTBase and is
not public accessible and as such, this exploit wasn't available for
an exploit to steal user sessions.
Thanks to the reporter of this exploit, Darian Patrick from the Security
Team,
Arlo Breault from the Parsing Team, Daniel Zahn and others from Ops for
their
assistance handling this bug and preparing this release.
[1] https://gerrit.wikimedia.org/r/#/c/319115
[2]
https://www.mediawiki.org/wiki/Parsoid/Deployments#Monday.2C_October_31.2C_…
[3] https://releases.wikimedia.org/debian/pool/main/p/parsoid/
[4] https://www.npmjs.com/package/parsoid
Subramanya Sastry,
Technical Lead and Manager,
Parsing Team,
Wikimedia Foundation.