Page MenuHomePhabricator

new minor release needed for syntaxhighlight
Closed, ResolvedPublic

Description

The version in the tarball still had T158689 not fixed. From what i understand this is in the worst case a remote code execution vuln, that is now public, so we should treat this urgently. To avoid confusion we should release a new tarball with a minor version bump.

Event Timeline

Bawolff created this task.Apr 29 2017, 8:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2017, 8:02 PM
Bawolff added a subscriber: demon.
Bawolff triaged this task as Unbreak Now! priority.Apr 29 2017, 8:27 PM

Theres a post about this on oss-security now

I put a warning on the download page. Im going to send a warning to wikitech-l and mediawiki-l

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 29 2017, 8:44 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptApr 29 2017, 8:44 PM

I sent a warning to mediawiki-l and wikitech-l (https://lists.wikimedia.org/pipermail/mediawiki-l/2017-April/046524.html) arguably an issue of this type deserves a warning to mediawiki-announcements but i dont have send access to that mailing list.

Restricted Application removed a subscriber: TerraCodes. · View Herald TranscriptApr 29 2017, 8:49 PM
Bawolff added a subscriber: greg.Apr 30 2017, 12:40 AM

@Legoktm: there is also a report that debian has the wrong version as well (I havent verified this myself)

Yorick added a subscriber: Yorick.Apr 30 2017, 6:00 AM

Thanks for taking these actions @Bawolff

It looks like MediaWiki is not available in Debian 8, but it is included in the testing & unstable releases. Ubuntu, Fedora & Arch Linux also ship the wrong versions. I've informed them via their security contact emails. It is likely that this also affects other distros.

The details were already public when T158689: Parameters injection in SyntaxHighlight results in multiple vulnerabilities was made public (including my email address :( ) as it contains a copy of the advisory as attachment, including a phpinfo() poc.

demon claimed this task.Apr 30 2017, 6:51 PM