Page MenuHomePhabricator

MediaWiki Security release 1.25.4
Closed, ResolvedPublic

Assigned To
Authored By
csteipp
Oct 16 2015, 4:45 PM
Referenced Files
F3113508: omnibus-v3-REL1_24.patch
Dec 17 2015, 9:09 PM
F3112777: omnibus-v2-REL1_23.patch
Dec 17 2015, 5:08 PM
F3112778: omnibus-v2-REL1_24.patch
Dec 17 2015, 5:08 PM
F3110762: omnibus-REL1_23.patch
Dec 17 2015, 12:39 AM
F3110761: omnibus-master.patch
Dec 17 2015, 12:39 AM
F3110763: omnibus-REL1_24.patch
Dec 17 2015, 12:39 AM
F3110765: omnibus-REL1_26.patch
Dec 17 2015, 12:39 AM
F3110764: omnibus-REL1_25.patch
Dec 17 2015, 12:39 AM

Event Timeline

csteipp raised the priority of this task from to Medium.
csteipp updated the task description. (Show Details)
csteipp added projects: Release, acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
demon removed a subtask: Restricted Task.Nov 20 2015, 10:49 PM

Could use another set of eyes. REL1_23 through REL1_25 includes 2 unrelated backports to aid in merging (rMW64431f and rMWc1b47d). Master lacks the two patches for T117899: XSS from wikitext when $wgArticlePath='$1' because they're already in master.

(10 patches total)

(10 patches total)

(10 patches total)

(8 patches total)

(6 patches total)

If looks good, we'll pre-announce the 6 blocked patches for the following 5 branches.

The patches for T119309 in MW 1.23 and 1.24 should use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.

Thanks for the review. I'll amend and post a revised REL1_23 and REL1_24 patch shortly.

Revised these two:

Syntax error snuck into 1.24, revised:

Proposed release notes, will be backporting to all branches:

* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that to not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't interpret POST parameters starting with '@' as file
  uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki

Proofreading would be nice ;-)

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5, and
1.23.12.

These releases fix six security issues in core, in addition to other bug
fixes. Download links are given at the end of this email. Patches will
be in Git and tags up shortly, as they pass Jenkins.

== Security fixes ==

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with
'@' as file uploads

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer
be shorter than $wgMinimalPasswordLength

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and
related pages no longer use HTTP redirects and are now redirected by MediaWiki

== Note about EOL of 1.24.x ==
Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0 but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.

== Release notes ==

Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>

Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
   1.26.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.25.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.24.5
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.23.12
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H. & Chris S.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.