Page MenuHomePhabricator
Create Task
Maniphest T361202

Update MediaWiki to 1.39.7 (security fixes)
Open, Needs TriagePublic
Actions

Description

There was an announcement for a security release of MediaWiki in the next few days:
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/MHGBY3I2OCL7IMUL6F6NUHEWXAZ3DWFE/

ACs:

  • MediaWiki v1.39.7 is deployed on staging and production

Details

Other Assignee
Tarrow

Related Objects

Event Timeline

Deniz_WMDE created this task.Mar 28 2024, 10:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 10:28 AM
Deniz_WMDE moved this task from Kanban board Q1 2024 to Tech prioritized backlog on the Wikibase Cloud board.Mar 28 2024, 11:06 AM
Deniz_WMDE edited projects, added Wikibase Cloud; removed Wikibase Cloud (Kanban board Q1 2024).
Tarrow moved this task from Tech prioritized backlog to Kanban Board Q2 2024 on the Wikibase Cloud board.Thu, Apr 18, 1:25 PM
Tarrow edited projects, added Wikibase Cloud (Kanban Board Q2 2024); removed Wikibase Cloud.
Deniz_WMDE moved this task from To do to In Review on the Wikibase Cloud (Kanban Board Q2 2024) board.Fri, Apr 19, 7:16 AM

https://github.com/wbstack/mediawiki/pull/439

Deniz_WMDE claimed this task.Fri, Apr 19, 7:17 AM
Tarrow updated Other Assignee, added: Tarrow.Mon, Apr 22, 8:58 AM
Deniz_WMDE added a comment.EditedTue, Apr 23, 3:14 PM

I pinned our version of wikimedia/mediawiki-extensions-Math to 2822d35380c87960c56111be025fd2c5817e919e - https://github.com/wbstack/mediawiki/pull/439/commits/7085e13016b7155f471d734792cd79205a899076

This was needed because one of our CI checks from mediawiki.verify.yml failed with the new version Run curl -L -s -N "http://site1.localhost:8001/w/rest.php" | grep -q "did not match any known handler"

https://phabricator.wikimedia.org/P61095
vs
https://phabricator.wikimedia.org/P61096

I have not investigated if this is an upstream bug or something the wikibase.cloud engineers need to fix, this is still to be determined, but using an older version unblocks the deployment of the security fixes for now. What I found out though is that the problem is a defect filepath stat failed for /var/www/html/w//var/www/html/w/extensions/Math/popupRestRoutes.json that is related to https://github.com/wikimedia/mediawiki-extensions-Math/commit/a8e8717bb9e1cf1a6dbb54f967937fc1979da760#diff-9ed2b93fa9e08cdce5c86e3e009e739ee85ff05dc8c4767dc2cefeec3af1e38bR23

Deniz_WMDE added a subscriber: Tarrow.Wed, Apr 24, 11:06 AM

A sidetrack of working on this ticket spawned discussions between me and @Tarrow about the wbstack mediawiki sync process and a PR with the intention to improve working with it https://github.com/wbstack/mediawiki/pull/428

Together we looked at the current wikiman.yaml: https://github.com/wbstack/mediawiki/blob/10f89301b7596e42cad19848542713cccd680588/wikiman.yaml
and concluded that:

Deniz_WMDE added a comment.Wed, Apr 24, 3:36 PM

The issue with the Math extension resolved itself by using the latest mediawiki 1.39 and wikibase code.

Deniz_WMDE added a comment.Thu, Apr 25, 8:12 AM

Double checked today that the wmf extdist tarball contains the git submodules - can confirm it does

Deniz_WMDE moved this task from In Review to Done on the Wikibase Cloud (Kanban Board Q2 2024) board.Fri, Apr 26, 1:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL