Chris Steipp wrote:
On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J
<BeebeM(a)battelle.org>
wrote:
4. General security vulnerabilities. - I
would love to have any
specifics here.
You can start with
https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3…
on_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equals&o3=greaterthan
&o4=equals&query_format=advanced&v1=Security&v2=MediaWiki&v3=2011&v4=FIXED
That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for
many installs.
Hmm, probably not quite 55 reasons. The original e-mail said that it was
an internal wiki running 1.15.3. Internal is somewhat ambiguous, but if
the wiki is on an intranet, most of the security issues are... not very
severe. There's usually a presumption that people on an intranet are
trusted. If there are untrusted users on the intranet, you probably have a
lot larger problems than your MediaWiki installation. Of course part of
the reason that companies put wikis on an intranet is that sysadmins don't
trust large PHP applications (with good reason). Plus, when you're running
a particularly old version of MediaWiki, many of the newer security
vulnerabilities are irrelevant as they rely on code paths that didn't
exist previously. For example, the XSS vulnerability in the info action
wouldn't affect a wiki running 1.15.3, nor would a vulnerability in
Special:Upload that was introduced in September 2009, assuming 1.15 was
branched in March 2009, as mediawiki.org's "Branch points" page states.
That said, MediaWiki maintainers should absolutely try to keep up to date,
but it's annoying to do. One of my old wikis is running 1.12.0 still. :-)
Upgrading MediaWiki core and its extensions is tedious and it's not
totally unreasonable for people to want to stick with what works.
MZMcBride