On Fri, Jul 30, 2010 at 06:35, Tim Starling tstarling@wikimedia.org wrote:
However, the statistics presented by Qualys show that an alarming number of people are running versions of MediaWiki older than 1.14.1, which was the most recent fix for an XSS vulnerability exploitable without special privileges. There is certainly room for us to do better.
I haven't read all the documents, but have these researchers taken into account backported fixes?
My gut feeling is that the "preference" for 1.12 is simply due to its inclusion in Debian stable [1]. The maintainer seems to be actively backporting security fixes [2], so while I agree that these versions may enjoy less community support, they should not be considered broken on the basis of the version number alone.
This, of course, unless it is certain that some vulnerabilities are still present in the Debian version. If you are aware of the existence of such a problem, I would recommend you contact security@debian.org. Otherwise, the situation might not be as dangerous as it seems.
On the topic of facilitating upgrades: perhaps we should emphasize the option to install and upgrade using SVN, which is probably very convenient for users that are comfortable with the command line. Moodle has this in the official documentation and I find it very useful [3]. SVN could also be handy as the backend for a user-friendly upgrade procedure, as it already deals with local modifications and such.
[1] http://packages.debian.org/search?keywords=mediawiki [2] http://packages.debian.org/changelogs/pool/main/m/mediawiki/mediawiki_1.12.0... [3] http://docs.moodle.org/en/Upgrading#Using_CVS