Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Andrea Pescetti]

janI wrote:

Instead of discussing what I should have done (and making me think "why do
I care", maybe we could concentrate on whether or not it should be applied,
and if there are any volunteers to test it.


OK, let's leave security out of this and consider it just an 
infrastructure update. Then you need a few volunteers for testing. I can 
be one, even though my account probably has some extra privileges; I can 
test normal editing and localization (interface and content 
translation). Then we can probably find a couple of documentation 
volunteers, who are the heaviest users of Mwiki in this period, and 
start testing.


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Daniel Shahaf]

janI wrote on Tue, Mar 05, 2013 at 09:08:33 +0100:
> On 5 March 2013 08:46, Andrea Pescetti  wrote:
> 
> > Daniel Shahaf wrote:
> >
> >> if somebody replies to your post and says "Hey,
> >> false negative", you really want_that_  to happen privately.
> >>
> >
> > That was my concern too. Jan is perfectly right that he merely forwarded a
> > public security announcements, and that there is absolutely nothing wrong
> > in this in itself, but it's better to avoid the (admittedly remote, in this
> > case) possibility that someone exposes a security risk while commenting.
> > Take this as a generic practice; we had similar discussions about
> > vulnerabilities found in libraries, for example; and the common advice is
> > not to discuss security-related practices in public.
> >
> 
> I did not take it personally, but I do not understand how we can discuss an
> issue on a mailing list where most of the people needed for the discussion
> do not have access. Please remember my purpose, we need 2-3 volunteers to
> test the update.

I am expecting you to discuss security issues privately and recruit
volunteers publicly.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[janI]

On 5 March 2013 08:46, Andrea Pescetti  wrote:

> Daniel Shahaf wrote:
>
>> if somebody replies to your post and says "Hey,
>> false negative", you really want_that_  to happen privately.
>>
>
> That was my concern too. Jan is perfectly right that he merely forwarded a
> public security announcements, and that there is absolutely nothing wrong
> in this in itself, but it's better to avoid the (admittedly remote, in this
> case) possibility that someone exposes a security risk while commenting.
> Take this as a generic practice; we had similar discussions about
> vulnerabilities found in libraries, for example; and the common advice is
> not to discuss security-related practices in public.
>

I did not take it personally, but I do not understand how we can discuss an
issue on a mailing list where most of the people needed for the discussion
do not have access. Please remember my purpose, we need 2-3 volunteers to
test the update.

Had it been a real security update (it does contain other fixes as well), I
would simply have applied it after a short discussion on IRC. But I do
honestly think that escalating a non-issue like this to r...@apache.org is
wrong and that was why I reacted.

Instead of discussing what I should have done (and making me think "why do
I care", maybe we could concentrate on whether or not it should be applied,
and if there are any volunteers to test it.

thx in advance.

>
> Regards,
>   Andrea.
>
>
> --**--**-
> To unsubscribe, e-mail: 
> dev-unsubscribe@openoffice.**apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
>

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Andrea Pescetti]

Daniel Shahaf wrote:

if somebody replies to your post and says "Hey,
false negative", you really want_that_  to happen privately.


That was my concern too. Jan is perfectly right that he merely forwarded 
a public security announcements, and that there is absolutely nothing 
wrong in this in itself, but it's better to avoid the (admittedly 
remote, in this case) possibility that someone exposes a security risk 
while commenting. Take this as a generic practice; we had similar 
discussions about vulnerabilities found in libraries, for example; and 
the common advice is not to discuss security-related practices in public.


Regards,
  Andrea.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Daniel Shahaf]

janI wrote on Tue, Mar 05, 2013 at 00:41:42 +0100:
> On 5 March 2013 00:24, Daniel Shahaf  wrote:
> 
> > Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100:
> > > janI wrote:
> > >> As you can read below, mediawiki has just released a security release.
> > >> We are currently not hit by the issues noted in the mail.
> > >> However I would like to ask the community if we should upgrade or wait
> > for
> > >> a later release ?
> > >
> > > Security issues are one of the few cases where we prefer that all
> > > conversations happen in private (infrastructure-private, that you CCed,
> > > seems right).
> >
> > Security issues in services running on apache.org hardware should be
> > reported to root@, rather than infra-private@.
> >
> 
> I dont get itI forwarded a PUBLIC email, about a security relase, NOT a
> security issue, just to get an opinion from the community, because if
> installed someone has to test it !!
> 
> It is really not easy to something right.

Can you please not take this personally?  It was just a commit review.

To the point: I agree with Andrea: it would have been good if you had
been more conservative and discussed the security implications
privately.  That's because of the a small chance that your assessment
that the announced issue does not affect ooo-wiki2-vm will turn out to
be a false negative: if somebody replies to your post and says "Hey,
false negative", you really want _that_ to happen privately.

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[janI]

On 5 March 2013 00:24, Daniel Shahaf  wrote:

> Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100:
> > janI wrote:
> >> As you can read below, mediawiki has just released a security release.
> >> We are currently not hit by the issues noted in the mail.
> >> However I would like to ask the community if we should upgrade or wait
> for
> >> a later release ?
> >
> > Security issues are one of the few cases where we prefer that all
> > conversations happen in private (infrastructure-private, that you CCed,
> > seems right).
>
> Security issues in services running on apache.org hardware should be
> reported to root@, rather than infra-private@.
>

I dont get itI forwarded a PUBLIC email, about a security relase, NOT a
security issue, just to get an opinion from the community, because if
installed someone has to test it !!

It is really not easy to something right.

rgds
jan I.

See http://www.apache.org/dev/infra-contact#how
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
> For additional commands, e-mail: dev-h...@openoffice.apache.org
>
>

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Daniel Shahaf]

Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100:
> janI wrote:
>> As you can read below, mediawiki has just released a security release.
>> We are currently not hit by the issues noted in the mail.
>> However I would like to ask the community if we should upgrade or wait for
>> a later release ?
>
> Security issues are one of the few cases where we prefer that all  
> conversations happen in private (infrastructure-private, that you CCed,  
> seems right).

Security issues in services running on apache.org hardware should be
reported to root@, rather than infra-private@.

See http://www.apache.org/dev/infra-contact#how

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[Andrea Pescetti]

janI wrote:

As you can read below, mediawiki has just released a security release.
We are currently not hit by the issues noted in the mail.
However I would like to ask the community if we should upgrade or wait for
a later release ?


Security issues are one of the few cases where we prefer that all 
conversations happen in private (infrastructure-private, that you CCed, 
seems right).


I realize that we are not affected by the vulnerabilities, so discussing 
this in public wouldn't pose risks in this case, but still with all 
security releases the project will simply take Infra's advice.


And thank you for following Mediawiki's security announcements!

Regards,
  Andrea.

Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4

[janI]

Hi.

As you can read below, mediawiki has just released a security release.

We are currently not hit by the issues noted in the mail.

However I would like to ask the community if we should upgrade or wait for
a later release ?

if we upgrade, we have to test all extensions again.

rgds
Jan I.

-- Forwarded message --
From: Chris Steipp 
Date: 4 March 2013 20:19
Subject: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
To: mediawiki-annou...@lists.wikimedia.org, Wikimedia developers <
wikitec...@lists.wikimedia.org>


I would like to announce the release of MediaWiki 1.20.3 and 1.19.4.
These releases fix 3 security related bugs that could affect users of
MediaWiki. Download links are given at the end of this email.

* By default, the curl library passed 'true' to CURLOPT_SSL_VERIFYHOST
when establishing an SSL connection, instead of '2'.



* MediaWiki developer Krenair discovered that the full user object,
including password hash, could be returned when unblocking a user by
the API. Exploitation of this vulnerability requires the user to have
permissions to unblock users, by default this is limited to users in
the sysop group.


* MediaWiki developer Platonides discovered that the maintenance
script mwdoc-filter.php did not check if it was being run via the CLI,
and could allow an attacker to read arbitrary files if PHP's
register_globals was enabled and the .htaccess file in the maintenance
directory, which by default denies access for all users, was disabled.



Full release notes for 1.20.3:


Full release notes for 1.19.4:


For information about how to upgrade, see



**
   1.20.3
**
Download:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz

Patch to previous version (1.20.2), without interface text:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.20/mediawiki-i18n-1.20.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**
   1.19.4
**
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz

Patch to previous version (1.19.3), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.4.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

___
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce