[Wikitech-l] Security release: 1.29.2 / 1.28.3 / 1.27.4

[Sam Reed]

I would like to announce the release of MediaWiki 1.29.2, 1.28.3 and 1.27.4!

These releases fix nine security issues in core and one related issue in
the vendor
folder. Download links are given at the end of this email.

Patches will be pushed to gerrit after this email is sent, and will land
into the relevant
branches as fast as our CI infrastructure allows. Git tags will follow soon
after. All related
tasks will be made public in phabricator too in the following few hours.

Please note that this month is the End-Of-Life date for MediaWiki 1.28. This
means that MediaWiki 1.28.3 will be the last security release for that
version, barring any unforeseen issues. We would strongly encourage users of
MediaWiki 1.28 to upgrade to MediaWiki 1.29, released in July 2017, or a yet
newer version as soon as possible. MediaWiki 1.29 will be supported until
July
2018. See  for more
information.

This release also serves as a maintenance release for these branches.

== Security fixes ==
* (T128209) Reflected File Download from api.php. Reported by Abdullah
Hussam. (CVE-2017-8809)
* (T165846) BotPasswords doesn't throttle login attempts.
* (T134100) On private wikis, login form shouldn't distinguish between
login failure
  due to bad username and bad password. (CVE-2017-8810)
* (T178451) XSS when $wgShowExceptionDetails = false and browser sends
  non-standard url escaping. (CVE-2017-8808)
* (T176247) It's possible to mangle HTML via raw message parameter
expansion.
  (CVE-2017-8811)
* (T125163) id attribute on headlines allow raw >. (CVE-2017-8812)
* (T124404) language converter can be tricked into replacing text inside
tags by
  adding a lot of junk after the rule definition. (CVE-2017-8814)
* (T119158) Language converter: unsafe attribute injection via glossary
rules (CVE-2017-8815)

The following only affects 1.29:
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't
correctly fixed in all
  branches in the previous security release. (CVE-2017-0361)

The following only affects 1.27 and 1.28:
* (T180231) composer.json has require-dev versions of PHPUnit with known
security
  issues. Reported by Tom Hutchison. (CVE-2017-9841)

It is recommended to run `composer update --no-dev` after upgrading to MW
1.27.4 or
1.28.3 if you installed MediaWiki via git. If you are using the tarball,
you are not affected,
and you do not need to run this command. This will remove developer
dependancies that
production wikis do not require. If you require developer dependancies, run
`composer update` which will update to a version of PHPUnit without known
RCE.

If you cannot run `composer update` for any reason, it is recommended that
you delete the
offending file as a minimum yourself using the following command:

`rm -rf vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`

== Links to all mentioned tasks ==
https://phabricator.wikimedia.org/T128209
https://phabricator.wikimedia.org/T165846
https://phabricator.wikimedia.org/T134100
https://phabricator.wikimedia.org/T178451
https://phabricator.wikimedia.org/T176247
https://phabricator.wikimedia.org/T125163
https://phabricator.wikimedia.org/T180231
https://phabricator.wikimedia.org/T125163
https://phabricator.wikimedia.org/T124404
https://phabricator.wikimedia.org/T119158
https://phabricator.wikimedia.org/T180488
https://phabricator.wikimedia.org/T125177

== Release notes ==

Full release notes for 1.27.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27
https://www.mediawiki.org/wiki/Release_notes/1.27

Full release notes for 1.28.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES-1.28
https://www.mediawiki.org/wiki/Release_notes/1.28

Full release notes for 1.29.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29
https://www.mediawiki.org/wiki/Release_notes/1.29

For information about how to upgrade, see


**
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz

Patch to previous version (1.27.3):
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**
Download:
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz

Patch to previous version (1.28.2):

[Wikitech-l] Discovery Weekly Update for the week starting 2017-10-30

[Chris Koerner]

Hello there,

This is the Discovery weekly update for the week starting 2017-10-30
_and_ 2017-11-06 - so the last two weeks.


== Highlights ==
* Blog post about searching using dashes and exclamation points when
they're not part of the expected search syntax (by Trey Jones): ''"So
-happy to meet you: Advanced searching techniques on Wikimedia
sites"''. [0]

== Discussions==

=== Search ===
* Trey wrote a blog post about advanced searching techniques,
particularly dealing with dashes and exclamation points when they are
*not* search syntax. [0]
* Trey finished an analysis of enabling mapping hiragana and katakana
for English- and Japanese-language wikis. There was less enthusiasm
for the mapping and more problems on the Japanese side, so it is not
going to be deployed there at this time. However, we're looking to
enable it for other languages. [1]
* David finished up refactoring the Searcher class and the
SearchContext to allow easy code reuse [2]
* Eric fixed an issue with a searchmatch span that was altering searches [3]
* Eric and David finished up the work needed for evaluating the
training speed and accuracy for 1M and 30M sample training sets and
updated the resource usage docs [4]
* Stas enabled disambiguation page demoting in Wikidata search  and
fixed several regressions in prefix search [5] [6] [7] [8].


=== Analysis  ===
* Chelsy finished up the analysis of the A/B test to test relaxing the
retrieval query filter and the report has been published [9] [10]
* After the quarterly metrics meeting at the end of October, there was
a follow-up question that Chelsy answered [11]
* Mikhail and Gehel finished up the creation of a Puppet profile/role
for doing R-based heavy stats/ML on Wikimedia Cloud [12]


=== Portal ===
* The Wikipedia.org portal page was updated with new translations and
new stats on October 30, 2017 [13] [14]


=== WDQS ===
* Stas fixed bug in RDF formatting of coordinates [15]
* Stas implemented ordinal variable in WDQS calls to MWAPI [16]


[0] https://blog.wikimedia.org/2017/11/06/searching-techniques/
[1] https://phabricator.wikimedia.org/T176197
[2] https://phabricator.wikimedia.org/T178906
[3] https://phabricator.wikimedia.org/T178522
[4] https://phabricator.wikimedia.org/T170009
[5] https://phabricator.wikimedia.org/T148411
[6] https://phabricator.wikimedia.org/T179061
[7] https://phabricator.wikimedia.org/T179045
[8] https://phabricator.wikimedia.org/T179130
[9] https://phabricator.wikimedia.org/T177957
[10] 
https://analytics.wikimedia.org/datasets/discovery/reports/AB_test_to_test_relaxing_the_retrieval_query_filter.html
[11] https://phabricator.wikimedia.org/T179449
[12] https://phabricator.wikimedia.org/T178096
[13] https://phabricator.wikimedia.org/T142582
[14] https://phabricator.wikimedia.org/T128546
[15] https://phabricator.wikimedia.org/T179228
[16] https://phabricator.wikimedia.org/T177275

---

Subscribe to receive on-wiki (or opt-in email) notifications of the
Discovery weekly update.

https://www.mediawiki.org/wiki/Newsletter:Discovery_Weekly

The archive of all past updates can be found on MediaWiki.org:

https://www.mediawiki.org/wiki/Discovery/Status_updates

Interested in getting involved? See tasks marked as "Easy" or
"Volunteer needed" in Phabricator.

[1] https://phabricator.wikimedia.org/maniphest/query/qW51XhCCd8.7/#R
[2] https://phabricator.wikimedia.org/maniphest/query/5KEPuEJh9TPS/#R


Yours,
Chris Koerner
Community Liaison
Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Tomorrow: Weekly Technical Advice IRC Meeting

[Michael Schönitzer]

Sorry for cross-posting!

Reminder: Technical Advice IRC meeting again **tomorrow, Wednesday 4-5 pm
UTC** on #wikimedia-tech.

The Technical Advice IRC meeting is open for all volunteer developers,
topics and questions. This can be anything from "how to get started" over
"who would be the best contact for X" to specific questions on your project.

If you know already what you would like to discuss or ask, please add your
topic to the next meeting: https://www.mediawiki.org/wiki/Technical_
Advice_IRC_Meeting

This meeting is an offer by WMDE’s tech team. Hosts of tomorrows meeting
are: @addshore & @CFisch_WMDE.

Hope to see you there!
Michi (for WMDE’s tech team)


-- 
Michael F. Schönitzer



Wikimedia Deutschland e.V. | Tempelhofer Ufer 23-24 | 10963 Berlin
Tel. (030) 219 158 26-0
http://wikimedia.de

Stellen Sie sich eine Welt vor, in der jeder Mensch an der Menge allen
Wissens frei teilhaben kann. Helfen Sie uns dabei!
http://spenden.wikimedia.de/

Wikimedia Deutschland - Gesellschaft zur Förderung Freien Wissens e.V.
Eingetragen im Vereinsregister des Amtsgerichts Berlin-Charlottenburg unter
der Nummer 23855 B. Als gemeinnützig anerkannt durch das Finanzamt für
Körperschaften I Berlin, Steuernummer 27/681/51985.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l