Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • demon | T115722 MediaWiki Security release 1.25.4 | |||
Resolved | • dpatrick | T97897 Incorrect parsing of IPs for global block | |||
Resolved | • csteipp | T115522 Passwords generated by User::randomPassword() may be shorter than $wgMinimalPasswordLength | |||
Resolved | Bawolff | T117899 XSS from wikitext when $wgArticlePath='$1' | |||
Resolved | Catrope | T118032 Error thrown by VirtualRESTService when POST variable starts with '@' | |||
Resolved | • csteipp | T109724 A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user | |||
Resolved | • csteipp | T119309 User::matchEditToken should use constant-time string comparison |
Event Timeline
Could use another set of eyes. REL1_23 through REL1_25 includes 2 unrelated backports to aid in merging (rMW64431f and rMWc1b47d). Master lacks the two patches for T117899: XSS from wikitext when $wgArticlePath='$1' because they're already in master.
(10 patches total) (10 patches total) (10 patches total) (8 patches total) (6 patches total)If looks good, we'll pre-announce the 6 blocked patches for the following 5 branches.
The patches for T119309 in MW 1.23 and 1.24 should use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.
Thanks for the review. I'll amend and post a revised REL1_23 and REL1_24 patch shortly.
Proposed release notes, will be backporting to all branches:
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that to not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. * (T119309) SECURITY: Use hash_compare() for edit token comparison * (T118032) SECURITY: Don't interpret POST parameters starting with '@' as file uploads * (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki
Proofreading would be nice ;-)
I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5, and 1.23.12. These releases fix six security issues in core, in addition to other bug fixes. Download links are given at the end of this email. Patches will be in Git and tags up shortly, as they pass Jenkins. == Security fixes == (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error. (T119309) SECURITY: Use hash_compare() for edit token comparison (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki == Note about EOL of 1.24.x == Please note that 1.24.5 marks the end of support for the 1.24.x series of releases. Technically this ended a few weeks ago with the release of 1.26.0 but we dropped one final release of 1.24.x here to give it a nicer send off for those who have not yet upgraded. == Release notes == Full release notes for 1.26.1: <https://www.mediawiki.org/wiki/Release_notes/1.26> Full release notes for 1.25.4: <https://www.mediawiki.org/wiki/Release_notes/1.25> Full release notes for 1.24.5: <https://www.mediawiki.org/wiki/Release_notes/1.24> Full release notes for 1.23.12: <https://www.mediawiki.org/wiki/Release_notes/1.23> For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** 1.26.1 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.25.4 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.24.5 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz Patch to previous version: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** 1.23.12 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html -Chad H. & Chris S.