Page MenuHomePhabricator

MediaWiki Security release 1.25.4
Closed, ResolvedPublic

Event Timeline

csteipp created this task.Oct 16 2015, 4:45 PM
csteipp raised the priority of this task from to Medium.
csteipp updated the task description. (Show Details)
csteipp added projects: Release, Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2015, 4:45 PM
csteipp added a subtask: Restricted Task.Oct 16 2015, 4:45 PM
csteipp added a subtask: Restricted Task.
csteipp added a subtask: Restricted Task.
csteipp added a subscriber: demon.
demon removed a subtask: Restricted Task.Nov 20 2015, 10:41 PM
demon removed a subtask: Restricted Task.Nov 20 2015, 10:49 PM
demon claimed this task.Dec 16 2015, 9:55 PM
demon removed a subtask: Restricted Task.Dec 16 2015, 11:43 PM

Could use another set of eyes. REL1_23 through REL1_25 includes 2 unrelated backports to aid in merging (rMW64431f and rMWc1b47d). Master lacks the two patches for T117899: XSS from wikitext when $wgArticlePath='$1' because they're already in master.

(10 patches total)

(10 patches total)

(10 patches total)

(8 patches total)

(6 patches total)

If looks good, we'll pre-announce the 6 blocked patches for the following 5 branches.

demon added a subscriber: Grunny.Dec 17 2015, 1:18 AM
Grunny added a comment.EditedDec 17 2015, 1:53 PM

The patches for T119309 in MW 1.23 and 1.24 should use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.

demon added a comment.Dec 17 2015, 4:15 PM

Thanks for the review. I'll amend and post a revised REL1_23 and REL1_24 patch shortly.

demon added a comment.Dec 17 2015, 5:08 PM

Revised these two:

demon added a comment.Dec 17 2015, 9:09 PM

Syntax error snuck into 1.24, revised:

Proposed release notes, will be backporting to all branches:

* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that to not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't interpret POST parameters starting with '@' as file
  uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki

Proofreading would be nice ;-)

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5, and
1.23.12.

These releases fix six security issues in core, in addition to other bug
fixes. Download links are given at the end of this email. Patches will
be in Git and tags up shortly, as they pass Jenkins.

== Security fixes ==

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error.

(T119309) SECURITY: Use hash_compare() for edit token comparison

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with
'@' as file uploads

(T115522) SECURITY: Passwords generated by User::randomPassword() can no longer
be shorter than $wgMinimalPasswordLength

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and
related pages no longer use HTTP redirects and are now redirected by MediaWiki

== Note about EOL of 1.24.x ==
Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0 but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.

== Release notes ==

Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>

Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
   1.26.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.25.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.24.5
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.23.12
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H. & Chris S.
demon closed this task as Resolved.Dec 18 2015, 12:39 AM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 11 2016, 10:57 PM