[MediaWiki-l] SyntaxHighlight_GeSHi in latest tarball does not include security fixes

Brian Wolff bwolff at wikimedia.org
Sat Apr 29 20:40:59 UTC 2017


Hello everyone.

Unfortunately there's been a mistake in generating the 1.28.1 and 1.27.2
tarball releases, where the wrong version of SyntaxHighlight_GeSHi
extension was included. The version of this extension that was included has
publically known severe security issues in it.

Until such a time as a new release is issued (which will hopefully be soon)
I reccomend that people either disable that extension or download a new
version from
https://www.mediawiki.org/wiki/Special:ExtensionDistributor/SyntaxHighlight_GeSHi
. The version of this extension in git, or from extension distributor is
fine. Only the version in the most recent tarball is wrong. The rest of the
release is also fine. The 1.23.16 and 1.23.17 release was not affected by
this issue.

Sorry for the confusion,
--
Brian


More information about the MediaWiki-l mailing list