Page MenuHomePhabricator
Create Task
Maniphest T164155

new minor release needed for syntaxhighlight
Closed, ResolvedPublic
Actions

Description

The version in the tarball still had T158689 not fixed. From what i understand this is in the worst case a remote code execution vuln, that is now public, so we should treat this urgently. To avoid confusion we should release a new tarball with a minor version bump.

Related Objects

Event Timeline

Bawolff created this task.Apr 29 2017, 8:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2017, 8:02 PM
Bawolff added a project: Release.Apr 29 2017, 8:03 PM
Bawolff added a subscriber: demon.
Bawolff triaged this task as Unbreak Now! priority.Apr 29 2017, 8:27 PM

Theres a post about this on oss-security now

I put a warning on the download page. Im going to send a warning to wikitech-l and mediawiki-l

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 29 2017, 8:44 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptApr 29 2017, 8:44 PM
Bawolff added a comment.Apr 29 2017, 8:49 PM

I sent a warning to mediawiki-l and wikitech-l (https://lists.wikimedia.org/pipermail/mediawiki-l/2017-April/046524.html) arguably an issue of this type deserves a warning to mediawiki-announcements but i dont have send access to that mailing list.

Restricted Application removed a subscriber: TerraCodes. · View Herald TranscriptApr 29 2017, 8:49 PM
Bawolff added a subscriber: greg.Apr 30 2017, 12:40 AM
Bawolff added a subscriber: Legoktm.Apr 30 2017, 12:46 AM

@Legoktm: there is also a report that debian has the wrong version as well (I havent verified this myself)

MZMcBride subscribed.Apr 30 2017, 4:25 AM
Yorick subscribed.Apr 30 2017, 6:00 AM

Thanks for taking these actions @Bawolff

It looks like MediaWiki is not available in Debian 8, but it is included in the testing & unstable releases. Ubuntu, Fedora & Arch Linux also ship the wrong versions. I've informed them via their security contact emails. It is likely that this also affects other distros.

The details were already public when T158689: Parameters injection in SyntaxHighlight results in multiple vulnerabilities was made public (including my email address :( ) as it contains a copy of the advisory as attachment, including a phpinfo() poc.

demon claimed this task.Apr 30 2017, 6:51 PM
demon closed this task as Resolved.Apr 30 2017, 8:32 PM

1.28.2 and 1.27.3

chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits