[Olpc-sysadmin] [Fwd: [MediaWiki-announce] MediaWiki security update: 1.15.1 and 1.14.1]

Ed McNierney ed at laptop.org
Mon Jul 13 19:51:32 EDT 2009


Bernie -

Thanks for the heads-up on this release.  At the moment we are trying  
to stabilize and consolidate the services and servers we're operating,  
so we can better adjust the number of systems we have to the level of  
administrative support we can provide.  So I would like to encourage  
folks to discuss the high-priority updates necessary, but please let's  
not undertake any system upgrades for a bit until we get things in a  
more maintainable state.

In the very short term, cjb and I are moving weka.laptop.org from 1CC  
to W91 so we can turn it back on again as a reverse proxy for the  
wiki.  I want to be sure we have all "public" servers (i.e. services  
advertised as available to the anonymous public user) in W91 where  
they will be better treated in terms of power, cooling, bandwidth, etc.

	- Ed


On Jul 13, 2009, at 7:39 PM, Bernie Innocenti wrote:

> BTW, who's in charge for MediaWiki these days?
>
> I could help with it, but this time I'd like a written statement  
> that I
> won't get blamed if it ends up taking 45 minutes of downtime ;-)
>
> -------- Forwarded Message --------
> From: Tim Starling <tstarling at wikimedia.org>
> Reply-to: mediawiki-l at lists.wikimedia.org
> To: mediawiki-announce at lists.wikimedia.org,
> mediawiki-l at lists.wikimedia.org, wikitech-l at lists.wikimedia.org
> Subject: [MediaWiki-announce] MediaWiki security update: 1.15.1 and
> 1.14.1
> Date: Tue, 14 Jul 2009 04:51:55 +1000
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1.
>
> A cross-site scripting (XSS) vulnerability was discovered in
> [[Special:Block]]. Only versions 1.14.0, 1.15.0 and release candidates
> for those releases are affected.
>
> Cross-site scripting vulnerabilities allow an unprivileged attacker to
> gain administrator access to the wiki by tricking an administrator
> into viewing a page which emits a malicious script. The malicious
> script may also be able to gain privileged access to other
> applications on the same domain.
>
> Other changes in these releases:
>
> 1.15.1:
> * Fixed fatal errors for unusual file repository configurations, such
> as ForeignAPIRepo.
> * Fixed the "change password" link on Special:Preferences to have the
> correct returnto parameter.
>
> 1.14.1:
> * (bug 17737) Fixed russian URLs for Special:BookSources
> * (bug 17713) Using links with only an anchor no longer add an dummy
> entry in the pagelinks table
> * (bug 17897) Fixed string offset error in <pre> tags
> * (bug 17832) Fixed action=delete returning 'unknownerror' instead of
> 'permissiondenied' when the user is blocked
> * Fixed performance regression when accessing deleted (archived) files
>
> Upgrade FAQ:
> http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading
>
>
> **********************************************************************
>  1.14.1
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.tar.gz
>
> Patch to previous version (1.14.0), without interface text:
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.patch.gz
> Interface text changes:
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-i18n-1.14.1.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.patch.gz.sig
> http://download.wikimedia.org/mediawiki/1.14/mediawiki-i18n-1.14.1.patch.gz.sig
>
> Public keys:
> https://secure.wikimedia.org/keys.html
>
> **********************************************************************
>  1.15.1
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.tar.gz
>
> Patch to previous version (1.15.0):
> http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.patch.gz.sig
>
> Public keys:
> https://secure.wikimedia.org/keys.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpbgkoACgkQdWgrCOij/sRAOgCgwk2XTXrxMkRrxsxNsAZj2EGK
> CC0AoJ78EAOW0rGxs+K1NjFO59XfS1RS
> =ZcRE
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> MediaWiki announcements mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
>
>
>
> -- 
>   // Bernie Innocenti - http://codewiz.org/
> \X/  Sugar Labs       - http://sugarlabs.org/
>
>
> _______________________________________________
> Olpc-sysadmin mailing list
> Olpc-sysadmin at lists.laptop.org
> http://lists.laptop.org/listinfo/olpc-sysadmin



More information about the Olpc-sysadmin mailing list