[MediaWiki-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

Chris Steipp
I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and
1.19.24. These releases fix 10 security issues, in addition to other bug
fixes. Download links are given at the end of this email.


== Security fixes ==

* iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
<https://phabricator.wikimedia.org/T85850>

* MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
<https://phabricator.wikimedia.org/T86711>

* MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with
LanguageConverter substitutions.
<https://phabricator.wikimedia.org/T73394>

* Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes
from Beyond Security.
<https://phabricator.wikimedia.org/T88310>

* iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
MediaWiki now detects and mitigates this issue on older versions of HHVM.
<https://phabricator.wikimedia.org/T85851>

* Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since
1.24) are vulnerable to DoS attacks using extremely long passwords.
<https://phabricator.wikimedia.org/T64685>

* iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
under HHVM, was susceptible to "Billion Laughs" DoS attacks
(iSEC-WMF1214-13).
<https://phabricator.wikimedia.org/T85848>

* Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP.
<https://phabricator.wikimedia.org/T71210>

* iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
the SVG.
<https://phabricator.wikimedia.org/T85349>

* iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege
escalation (iSEC-WMF1214-10). This feature has been removed.
<https://phabricator.wikimedia.org/T85855>


Additionally, the following extensions have been updated to fix security
issues:

* Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS.
<https://phabricator.wikimedia.org/T85113>

* Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to
look up sensitive information about other users (iSEC-WMF1214-6). Since the
use of CheckUser is logged, the CSRF could be abused to defame a trusted
user or flood the logs with noise.
<https://phabricator.wikimedia.org/T85858>


== Bug fixes ==

=== 1.24 ===

* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
fix loading these special pages when $wgAutoloadAttemptLowercase is false.
* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
change and running update.php to fix.

== 1.23 & 1.24 ==

* (bug T70087) Fix Special:ActiveUsers page for installations using
PostgreSQL.


**********************************************************************

Full release notes:
https://www.mediawiki.org/wiki/Release_notes/1.24
https://www.mediawiki.org/wiki/Release_notes/1.23
https://www.mediawiki.org/wiki/Release_notes/1.19

Download:
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz

Patch to previous version:
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig

Extensions:
http://www.mediawiki.org/wiki/Extension:Scribunto
http://www.mediawiki.org/wiki/Extension:CheckUser

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

Larry Silverman
Chris,

There might be something wrong with the mediawiki-1.23.9.patch file. I've
been using the patches to do point-release upgrades for quite a while, and
this is the first time I've seen something like this:

$ patch -p 1 --dry-run < mediawiki-1.23.9.patch
patching file Gruntfile.js
patching file includes/DefaultSettings.php
patching file includes/EditPage.php
patching file includes/Html.php
patching file includes/libs/XmlTypeCheck.php
patching file includes/media/BitmapMetadataHandler.php
patching file includes/media/JpegMetadataExtractor.php
patching file includes/media/XMP.php
patching file includes/OutputPage.php
patching file includes/specials/SpecialActiveusers.php
patching file includes/specials/SpecialJavaScriptTest.php
patching file includes/upload/UploadBase.php
patching file includes/Xml.php
patching file jsduck.json
patching file languages/i18n/en.json
patching file languages/i18n/qqq.json
patching file maintenance/jsduck/config.json
patching file maintenance/jsduck/MetaTags.rb
patching file maintenance/mwjsduck-gen
patching file RELEASE-NOTES-1.23
patching file resources/Resources.php
patching file resources/src/jquery/jquery.badge.css
patching file
resources/src/mediawiki.special/mediawiki.special.javaScriptTest.js
The next patch would delete the file tests/frontend/Gruntfile.js,
which does not exist!  Assume -R? [n]
Apply anyway? [n]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 1472
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x
'.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x
'*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip'
-x '*.xmp' mediawiki-1.23.8/tests/parser/parserTests.txt
mediawiki-1.23.9/tests/parser/parserTests.txt
|--- mediawiki-1.23.8/tests/parser/parserTests.txt      2015-03-31
13:11:11.000000000 +0000
|+++ mediawiki-1.23.9/tests/parser/parserTests.txt      2015-03-31
13:10:49.000000000 +0000
--------------------------
File to patch: ^C

I ctrl-c'ed out here.


Larry Silverman
Chief Technology Officer
TrackAbout, Inc.

On Tue, Mar 31, 2015 at 4:20 PM, Chris Steipp <[hidden email]> wrote:

> I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and
> 1.19.24. These releases fix 10 security issues, in addition to other bug
> fixes. Download links are given at the end of this email.
>
>
> == Security fixes ==
>
> * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
> embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
> JavaScript in the SVG. The issue was additionally identified by Mario
> Heiderich / Cure53. MIME types are now whitelisted.
> <https://phabricator.wikimedia.org/T85850>
>
> * MediaWiki user Bawolff pointed out that the SVG filter to prevent
> injecting JavaScript using animate elements was incorrect.
> <https://phabricator.wikimedia.org/T86711>
>
> * MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
> attributes were expanded in MediaWiki's Html class, in combination with
> LanguageConverter substitutions.
> <https://phabricator.wikimedia.org/T73394>
>
> * Internal review discovered that MediaWiki's SVG filtering could be
> bypassed with entity encoding under the Zend interpreter. This could be
> used to inject JavaScript. This issue was also discovered by Mario Gomes
> from Beyond Security.
> <https://phabricator.wikimedia.org/T88310>
>
> * iSEC Partners discovered a XSS vulnerability in the way api errors were
> reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
> MediaWiki now detects and mitigates this issue on older versions of HHVM.
> <https://phabricator.wikimedia.org/T85851>
>
> * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
> MediaWiki versions using PBKDF2 for password hashing (the default since
> 1.24) are vulnerable to DoS attacks using extremely long passwords.
> <https://phabricator.wikimedia.org/T64685>
>
> * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
> under HHVM, was susceptible to "Billion Laughs" DoS attacks
> (iSEC-WMF1214-13).
> <https://phabricator.wikimedia.org/T85848>
>
> * Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
> DoS attacks, under both HHVM and Zend PHP.
> <https://phabricator.wikimedia.org/T71210>
>
> * iSEC Partners discovered a way to bypass the style filtering for SVG
> files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
> the SVG.
> <https://phabricator.wikimedia.org/T85349>
>
> * iSEC Partners reported that the MediaWiki feature allowing a user to
> preview another user's custom JavaScript could be abused for privilege
> escalation (iSEC-WMF1214-10). This feature has been removed.
> <https://phabricator.wikimedia.org/T85855>
>
>
> Additionally, the following extensions have been updated to fix security
> issues:
>
> * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
> names were not sanitized in Lua error backtraces, which could lead to XSS.
> <https://phabricator.wikimedia.org/T85113>
>
> * Extension:CheckUser - iSEC Partners discovered that the CheckUser
> extension did not prevent CSRF attacks on the form allowing checkusers to
> look up sensitive information about other users (iSEC-WMF1214-6). Since the
> use of CheckUser is logged, the CSRF could be abused to defame a trusted
> user or flood the logs with noise.
> <https://phabricator.wikimedia.org/T85858>
>
>
> == Bug fixes ==
>
> === 1.24 ===
>
> * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
> fix loading these special pages when $wgAutoloadAttemptLowercase is false.
> * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
> change and running update.php to fix.
>
> == 1.23 & 1.24 ==
>
> * (bug T70087) Fix Special:ActiveUsers page for installations using
> PostgreSQL.
>
>
> **********************************************************************
>
> Full release notes:
> https://www.mediawiki.org/wiki/Release_notes/1.24
> https://www.mediawiki.org/wiki/Release_notes/1.23
> https://www.mediawiki.org/wiki/Release_notes/1.19
>
> Download:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
>
> Patch to previous version:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
>
> GPG signatures:
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
>
> Extensions:
> http://www.mediawiki.org/wiki/Extension:Scribunto
> http://www.mediawiki.org/wiki/Extension:CheckUser
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

Lewis Cawte
So it appears tests have made their return to releases... in a security
release.

I did also raise this on IRC but I was told that not having tests in the
tarball was wrong. My IRC client conveniently decided to stop listening to
my keyboard just as I was about to reply. But as someone else has raised
this issue, we might as well have the 'tests in tarball' conversation
again, for the third or fourth time in recent history...

-- Lewis

On 31 March 2015 at 22:55, Larry Silverman <[hidden email]>
wrote:

> Chris,
>
> There might be something wrong with the mediawiki-1.23.9.patch file. I've
> been using the patches to do point-release upgrades for quite a while, and
> this is the first time I've seen something like this:
>
> $ patch -p 1 --dry-run < mediawiki-1.23.9.patch
> patching file Gruntfile.js
> patching file includes/DefaultSettings.php
> patching file includes/EditPage.php
> patching file includes/Html.php
> patching file includes/libs/XmlTypeCheck.php
> patching file includes/media/BitmapMetadataHandler.php
> patching file includes/media/JpegMetadataExtractor.php
> patching file includes/media/XMP.php
> patching file includes/OutputPage.php
> patching file includes/specials/SpecialActiveusers.php
> patching file includes/specials/SpecialJavaScriptTest.php
> patching file includes/upload/UploadBase.php
> patching file includes/Xml.php
> patching file jsduck.json
> patching file languages/i18n/en.json
> patching file languages/i18n/qqq.json
> patching file maintenance/jsduck/config.json
> patching file maintenance/jsduck/MetaTags.rb
> patching file maintenance/mwjsduck-gen
> patching file RELEASE-NOTES-1.23
> patching file resources/Resources.php
> patching file resources/src/jquery/jquery.badge.css
> patching file
> resources/src/mediawiki.special/mediawiki.special.javaScriptTest.js
> The next patch would delete the file tests/frontend/Gruntfile.js,
> which does not exist!  Assume -R? [n]
> Apply anyway? [n]
> Skipping patch.
> 1 out of 1 hunk ignored
> can't find file to patch at input line 1472
> Perhaps you used the wrong -p or --strip option?
> The text leading up to this was:
> --------------------------
> |diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x
> '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x
> '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip'
> -x '*.xmp' mediawiki-1.23.8/tests/parser/parserTests.txt
> mediawiki-1.23.9/tests/parser/parserTests.txt
> |--- mediawiki-1.23.8/tests/parser/parserTests.txt      2015-03-31
> 13:11:11.000000000 +0000
> |+++ mediawiki-1.23.9/tests/parser/parserTests.txt      2015-03-31
> 13:10:49.000000000 +0000
> --------------------------
> File to patch: ^C
>
> I ctrl-c'ed out here.
>
>
> Larry Silverman
> Chief Technology Officer
> TrackAbout, Inc.
>
> On Tue, Mar 31, 2015 at 4:20 PM, Chris Steipp <[hidden email]>
> wrote:
>
> > I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and
> > 1.19.24. These releases fix 10 security issues, in addition to other bug
> > fixes. Download links are given at the end of this email.
> >
> >
> > == Security fixes ==
> >
> > * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
> > embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
> > JavaScript in the SVG. The issue was additionally identified by Mario
> > Heiderich / Cure53. MIME types are now whitelisted.
> > <https://phabricator.wikimedia.org/T85850>
> >
> > * MediaWiki user Bawolff pointed out that the SVG filter to prevent
> > injecting JavaScript using animate elements was incorrect.
> > <https://phabricator.wikimedia.org/T86711>
> >
> > * MediaWiki user Bawolff reported a stored XSS vulnerability due to the
> way
> > attributes were expanded in MediaWiki's Html class, in combination with
> > LanguageConverter substitutions.
> > <https://phabricator.wikimedia.org/T73394>
> >
> > * Internal review discovered that MediaWiki's SVG filtering could be
> > bypassed with entity encoding under the Zend interpreter. This could be
> > used to inject JavaScript. This issue was also discovered by Mario Gomes
> > from Beyond Security.
> > <https://phabricator.wikimedia.org/T88310>
> >
> > * iSEC Partners discovered a XSS vulnerability in the way api errors were
> > reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
> > MediaWiki now detects and mitigates this issue on older versions of HHVM.
> > <https://phabricator.wikimedia.org/T85851>
> >
> > * Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
> > MediaWiki versions using PBKDF2 for password hashing (the default since
> > 1.24) are vulnerable to DoS attacks using extremely long passwords.
> > <https://phabricator.wikimedia.org/T64685>
> >
> > * iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
> > under HHVM, was susceptible to "Billion Laughs" DoS attacks
> > (iSEC-WMF1214-13).
> > <https://phabricator.wikimedia.org/T85848>
> >
> > * Internal review found that MediaWiki is vulnerable to "Quadratic
> Blowup"
> > DoS attacks, under both HHVM and Zend PHP.
> > <https://phabricator.wikimedia.org/T71210>
> >
> > * iSEC Partners discovered a way to bypass the style filtering for SVG
> > files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
> > the SVG.
> > <https://phabricator.wikimedia.org/T85349>
> >
> > * iSEC Partners reported that the MediaWiki feature allowing a user to
> > preview another user's custom JavaScript could be abused for privilege
> > escalation (iSEC-WMF1214-10). This feature has been removed.
> > <https://phabricator.wikimedia.org/T85855>
> >
> >
> > Additionally, the following extensions have been updated to fix security
> > issues:
> >
> > * Extension:Scribunto - MediaWiki user Jackmcbarn discovered that
> function
> > names were not sanitized in Lua error backtraces, which could lead to
> XSS.
> > <https://phabricator.wikimedia.org/T85113>
> >
> > * Extension:CheckUser - iSEC Partners discovered that the CheckUser
> > extension did not prevent CSRF attacks on the form allowing checkusers to
> > look up sensitive information about other users (iSEC-WMF1214-6). Since
> the
> > use of CheckUser is logged, the CSRF could be abused to defame a trusted
> > user or flood the logs with noise.
> > <https://phabricator.wikimedia.org/T85858>
> >
> >
> > == Bug fixes ==
> >
> > === 1.24 ===
> >
> > * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
> > fix loading these special pages when $wgAutoloadAttemptLowercase is
> false.
> > * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
> > change and running update.php to fix.
> >
> > == 1.23 & 1.24 ==
> >
> > * (bug T70087) Fix Special:ActiveUsers page for installations using
> > PostgreSQL.
> >
> >
> > **********************************************************************
> >
> > Full release notes:
> > https://www.mediawiki.org/wiki/Release_notes/1.24
> > https://www.mediawiki.org/wiki/Release_notes/1.23
> > https://www.mediawiki.org/wiki/Release_notes/1.19
> >
> > Download:
> > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
> > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
> > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
> >
> > Patch to previous version:
> > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
> > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
> > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
> >
> > GPG signatures:
> > http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
> >
> http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
> > http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
> >
> http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
> >
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
> >
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
> >
> > Extensions:
> > http://www.mediawiki.org/wiki/Extension:Scribunto
> > http://www.mediawiki.org/wiki/Extension:CheckUser
> >
> > Public keys:
> > https://www.mediawiki.org/keys/keys.html
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l