Chris Steipp wrote:
On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J BeebeM@battelle.org wrote:
General security vulnerabilities. - I would love to have any
specifics here.
You can start with https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=... on_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equals&o3=greaterthan &o4=equals&query_format=advanced&v1=Security&v2=MediaWiki&v3=2011&v4=FIXED
That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for many installs.
Hmm, probably not quite 55 reasons. The original e-mail said that it was an internal wiki running 1.15.3. Internal is somewhat ambiguous, but if the wiki is on an intranet, most of the security issues are... not very severe. There's usually a presumption that people on an intranet are trusted. If there are untrusted users on the intranet, you probably have a lot larger problems than your MediaWiki installation. Of course part of the reason that companies put wikis on an intranet is that sysadmins don't trust large PHP applications (with good reason). Plus, when you're running a particularly old version of MediaWiki, many of the newer security vulnerabilities are irrelevant as they rely on code paths that didn't exist previously. For example, the XSS vulnerability in the info action wouldn't affect a wiki running 1.15.3, nor would a vulnerability in Special:Upload that was introduced in September 2009, assuming 1.15 was branched in March 2009, as mediawiki.org's "Branch points" page states.
That said, MediaWiki maintainers should absolutely try to keep up to date, but it's annoying to do. One of my old wikis is running 1.12.0 still. :-) Upgrading MediaWiki core and its extensions is tedious and it's not totally unreasonable for people to want to stick with what works.
MZMcBride