Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

MediaWiki 1.19.0beta2

 

 

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


reedy at wikimedia

Mar 22, 2012, 12:37 PM

Post #1 of 6 (771 views)
Permalink
MediaWiki 1.19.0beta2

I'm happy to announce the availability of the second beta release of the
new MediaWiki 1.19 release series.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Five security issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki.

Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.

Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

*********************************************************************
What's new?
*********************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
and render as PNG by default.
* MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
is used (used in the API and the Interwiki extension).

Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
content language.
* Time and number-formatting magic words also now depend on the page
content language.
* Bidirectional support further improved after 1.18.

Release notes
- -------------
Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.19;hb=1.19.0beta2
https://www.mediawiki.org/wiki/Release_notes/1.19

Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.

Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.

Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.

To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git

More information is available at https://www.mediawiki.org/wiki/Git

For more help, please visit the #mediawiki IRC channel on freenode.net
irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l [at] lists


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz

Patch to previous version (1.19.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si
g
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz.
sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


liangent at gmail

May 8, 2014, 11:46 PM

Post #2 of 6 (147 views)
Permalink
Re: MediaWiki 1.19.0beta2 [In reply to]

On Mar 23, 2012 3:38 AM, "Sam Reed" <reedy [at] wikimedia> wrote:
>
> I'm happy to announce the availability of the second beta release of the
> new MediaWiki 1.19 release series.
>
> Please try it out and let us know what you think. Don't run it on any
> wikis that you really care about, unless you are both very brave and
> very confident in your MediaWiki administration skills.
>
> MediaWiki 1.19 is a large release that contains many new features and
> bug fixes. This is a summary of the major changes of interest to users.
> You can consult the RELEASE-NOTES-1.19 file for the full list of changes
> in this version.
>
> Five security issues were discovered.
>
> It was discovered that the api had a cross-site request forgery (CSRF)
> vulnerability in the block/unblock modules. It was possible for a user
> account with the block privileges to block or unblock another user without
> providing a token.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
>
> It was discovered that the resource loader can leak certain kinds of
private
> data across domain origin boundaries, by providing the data as an
executable
> JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
> CSRF
> protection tokens. This allows compromise of the wiki's user accounts, say
> by
> changing the user's email address and then requesting a password reset.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
>
> Jan Schejbal of Hatforce.com discovered a cross-site request forgery
(CSRF)
> vulnerability in Special:Upload. Modern browsers (since at least as early
as
> December 2010) are able to post file uploads without user interaction,
> violating previous security assumptions within MediaWiki.
>
> Depending on the wiki's configuration, this vulnerability could lead to
> further
> compromise, especially on private wikis where the set of allowed file
types
> is
> broader than on public wikis. Note that CSRF allows compromise of a wiki
> from
> an external website even if the wiki is behind a firewall.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
>
> George Argyros and Aggelos Kiayias reported that the method used to
generate
> password reset tokens is not sufficiently secure. Instead we use various
> more
> secure random number generators, depending on what is available on the
> platform. Windows users are strongly advised to install either the openssl
> extension or the mcrypt extension for PHP so that MediaWiki can take
> advantage
> of the cryptographic random number facility provided by Windows.
>
> Any extension developers using mt_rand() to generate random numbers in
> contexts
> where security is required are encouraged to instead make use of the
> MWCryptRand class introduced with this release.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

I came across this mail and found this link still not viewable.

>
> A long-standing bug in the wikitext parser (bug 22555) was discovered to
> have
> security implications. In the presence of the popular CharInsert
extension,
> it
> leads to cross-site scripting (XSS). XSS may be possible with other
> extensions
> or perhaps even the MediaWiki core alone, although this is not confirmed
at
> this time. A denial-of-service attack (infinite loop) is also possible
> regardless of configuration.
>
> For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
>
> *********************************************************************
> What's new?
> *********************************************************************
>
> MediaWiki 1.19 brings the usual host of various bugfixes and new features.
>
> Comprehensive list of what's new is in the release notes.
>
> * Bumped MySQL version requirement to 5.0.2.
> * Disable the partial HTML and MathML rendering options for Math,
> and render as PNG by default.
> * MathML mode was so incomplete most people thought it simply didn't
work.
> * New skins/common/*.css files usable by skins instead of having to copy
> piles of
> generic styles from MonoBook or Vector's css.
> * The default user signature now contains a talk link in addition to the
> user link.
> * Searching blocked usernames in block log is now clearer.
> * Better timezone recognition in user preferences.
> * Extensions can now participate in the extraction of titles from URL
paths.
> * The command-line installer supports various RDBMSes better.
> * The interwiki links table can now be accessed also when the interwiki
> cache
> is used (used in the API and the Interwiki extension).
>
> Internationalization
> - --------------------
> * More gender support (for instance in user lists).
> * Add languages: Canadian English.
> * Language converter improved, e.g. it now works depending on the page
> content language.
> * Time and number-formatting magic words also now depend on the page
> content language.
> * Bidirectional support further improved after 1.18.
>
> Release notes
> - -------------
> Full release notes:
>
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
> LEASE-NOTES-1.19;hb=1.19.0beta2
> https://www.mediawiki.org/wiki/Release_notes/1.19
>
> Co-inciding with these security releases, the MediaWiki source code
> repository has
> moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3
)
> to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
> relevant
> commits for these releases will not be appearing in our SVN repository. If
> you use
> SVN checkouts of MediaWiki for version control, you need to migrate these
to
> Git.
> If you up are using tarballs, there should be no change in the process for
> you.
>
> Please note that any WMF-deployed extensions have also been migrated to
Git
> also, along with some other non WMF-maintained ones.
>
> Please bear with us, some of the Git related links for this release may
not
> work instantly,
> but should later on.
>
> To do a simple Git clone, the command is:
> git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
>
> More information is available at https://www.mediawiki.org/wiki/Git
>
> For more help, please visit the #mediawiki IRC channel on freenode.net
> irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
> at mediawiki-l [at] lists
>
>
> **********************************************************************
> Download:
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz
>
> Patch to previous version (1.19.0beta1), without interface text:
>
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
> Interface text changes:
>
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
> h.gz
>
> GPG signatures:
>
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si
> g
>
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz.
> sig
>
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
> h.gz.sig
>
> Public keys:
> https://secure.wikimedia.org/keys.html
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jasper at jasperswebsite

May 9, 2014, 12:37 AM

Post #3 of 6 (148 views)
Permalink
Re: MediaWiki 1.19.0beta2 [In reply to]

Surely this reply was a mistake?


On Thu, May 8, 2014 at 11:46 PM, Liangent <liangent [at] gmail> wrote:

> On Mar 23, 2012 3:38 AM, "Sam Reed" <reedy [at] wikimedia> wrote:
> >
> > I'm happy to announce the availability of the second beta release of the
> > new MediaWiki 1.19 release series.
> >
> > Please try it out and let us know what you think. Don't run it on any
> > wikis that you really care about, unless you are both very brave and
> > very confident in your MediaWiki administration skills.
> >
> > MediaWiki 1.19 is a large release that contains many new features and
> > bug fixes. This is a summary of the major changes of interest to users.
> > You can consult the RELEASE-NOTES-1.19 file for the full list of changes
> > in this version.
> >
> > Five security issues were discovered.
> >
> > It was discovered that the api had a cross-site request forgery (CSRF)
> > vulnerability in the block/unblock modules. It was possible for a user
> > account with the block privileges to block or unblock another user
> without
> > providing a token.
> >
> > For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
> >
> > It was discovered that the resource loader can leak certain kinds of
> private
> > data across domain origin boundaries, by providing the data as an
> executable
> > JavaScript file. In MediaWiki 1.18 and later, this includes the leaking
> of
> > CSRF
> > protection tokens. This allows compromise of the wiki's user accounts,
> say
> > by
> > changing the user's email address and then requesting a password reset.
> >
> > For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
> >
> > Jan Schejbal of Hatforce.com discovered a cross-site request forgery
> (CSRF)
> > vulnerability in Special:Upload. Modern browsers (since at least as early
> as
> > December 2010) are able to post file uploads without user interaction,
> > violating previous security assumptions within MediaWiki.
> >
> > Depending on the wiki's configuration, this vulnerability could lead to
> > further
> > compromise, especially on private wikis where the set of allowed file
> types
> > is
> > broader than on public wikis. Note that CSRF allows compromise of a wiki
> > from
> > an external website even if the wiki is behind a firewall.
> >
> > For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
> >
> > George Argyros and Aggelos Kiayias reported that the method used to
> generate
> > password reset tokens is not sufficiently secure. Instead we use various
> > more
> > secure random number generators, depending on what is available on the
> > platform. Windows users are strongly advised to install either the
> openssl
> > extension or the mcrypt extension for PHP so that MediaWiki can take
> > advantage
> > of the cryptographic random number facility provided by Windows.
> >
> > Any extension developers using mt_rand() to generate random numbers in
> > contexts
> > where security is required are encouraged to instead make use of the
> > MWCryptRand class introduced with this release.
> >
> > For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
>
> I came across this mail and found this link still not viewable.
>
> >
> > A long-standing bug in the wikitext parser (bug 22555) was discovered to
> > have
> > security implications. In the presence of the popular CharInsert
> extension,
> > it
> > leads to cross-site scripting (XSS). XSS may be possible with other
> > extensions
> > or perhaps even the MediaWiki core alone, although this is not confirmed
> at
> > this time. A denial-of-service attack (infinite loop) is also possible
> > regardless of configuration.
> >
> > For more details, see
> https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
> >
> > *********************************************************************
> > What's new?
> > *********************************************************************
> >
> > MediaWiki 1.19 brings the usual host of various bugfixes and new
> features.
> >
> > Comprehensive list of what's new is in the release notes.
> >
> > * Bumped MySQL version requirement to 5.0.2.
> > * Disable the partial HTML and MathML rendering options for Math,
> > and render as PNG by default.
> > * MathML mode was so incomplete most people thought it simply didn't
> work.
> > * New skins/common/*.css files usable by skins instead of having to copy
> > piles of
> > generic styles from MonoBook or Vector's css.
> > * The default user signature now contains a talk link in addition to the
> > user link.
> > * Searching blocked usernames in block log is now clearer.
> > * Better timezone recognition in user preferences.
> > * Extensions can now participate in the extraction of titles from URL
> paths.
> > * The command-line installer supports various RDBMSes better.
> > * The interwiki links table can now be accessed also when the interwiki
> > cache
> > is used (used in the API and the Interwiki extension).
> >
> > Internationalization
> > - --------------------
> > * More gender support (for instance in user lists).
> > * Add languages: Canadian English.
> > * Language converter improved, e.g. it now works depending on the page
> > content language.
> > * Time and number-formatting magic words also now depend on the page
> > content language.
> > * Bidirectional support further improved after 1.18.
> >
> > Release notes
> > - -------------
> > Full release notes:
> >
>
> https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
> > LEASE-NOTES-1.19;hb=1.19.0beta2
> > https://www.mediawiki.org/wiki/Release_notes/1.19
> >
> > Co-inciding with these security releases, the MediaWiki source code
> > repository has
> > moved from SVN (at
> https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3
> )
> > to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
> > relevant
> > commits for these releases will not be appearing in our SVN repository.
> If
> > you use
> > SVN checkouts of MediaWiki for version control, you need to migrate these
> to
> > Git.
> > If you up are using tarballs, there should be no change in the process
> for
> > you.
> >
> > Please note that any WMF-deployed extensions have also been migrated to
> Git
> > also, along with some other non WMF-maintained ones.
> >
> > Please bear with us, some of the Git related links for this release may
> not
> > work instantly,
> > but should later on.
> >
> > To do a simple Git clone, the command is:
> > git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
> >
> > More information is available at https://www.mediawiki.org/wiki/Git
> >
> > For more help, please visit the #mediawiki IRC channel on freenode.net
> > irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
> > at mediawiki-l [at] lists
> >
> >
> > **********************************************************************
> > Download:
> >
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz
> >
> > Patch to previous version (1.19.0beta1), without interface text:
> >
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
> > Interface text changes:
> >
>
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
> > h.gz
> >
> > GPG signatures:
> >
>
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si
> > g
> >
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
> .
> > sig
> >
>
> http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
> > h.gz.sig
> >
> > Public keys:
> > https://secure.wikimedia.org/keys.html
> >
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l [at] lists
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


matma.rex at gmail

May 9, 2014, 12:40 AM

Post #4 of 6 (146 views)
Permalink
Re: MediaWiki 1.19.0beta2 [In reply to]

On Fri, 09 May 2014 09:37:23 +0200, Jasper Deng <jasper [at] jasperswebsite> wrote:

> Surely this reply was a mistake?

Doesn't look like one. The important part is this:


> On Thu, May 8, 2014 at 11:46 PM, Liangent <liangent [at] gmail> wrote:
>
>> On Mar 23, 2012 3:38 AM, "Sam Reed" <reedy [at] wikimedia> wrote:
>> > Any extension developers using mt_rand() to generate random numbers in
>> > contexts
>> > where security is required are encouraged to instead make use of the
>> > MWCryptRand class introduced with this release.
>> >
>> > For more details, see
>> > https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
>>
>> I came across this mail and found this link still not viewable.

https://bugzilla.wikimedia.org/show_bug.cgi?id=35078 is, in fact, still a hidden security bug for some reason.


--
Matma Rex

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jforrester at wikimedia

May 9, 2014, 12:41 AM

Post #5 of 6 (145 views)
Permalink
Re: MediaWiki 1.19.0beta2 [In reply to]

On 9 May 2014 00:37, Jasper Deng <jasper [at] jasperswebsite> wrote:

>
> On Thu, May 8, 2014 at 11:46 PM, Liangent <liangent [at] gmail> wrote:
>
> > On Mar 23, 2012 3:38 AM, "Sam Reed" <reedy [at] wikimedia> wrote:
> > >
> > > I'm happy to announce the availability of the second beta release of
> the
> > > new MediaWiki 1.19 release series.
>

​[Snip]​

> > George Argyros and Aggelos Kiayias reported that the method used to
> ​> ​
> > generate
> ​
> password reset tokens is not sufficiently secure. Instead we​
> > > use various more secure random number generators, depending on
> > > what is available on the platform. Windows users are strongly advised
> > > to install either th
> ​e​
> openssl extension or the mcrypt extension
> ​ for PHP​
>
> > > so that MediaWiki can take
> ​ ​
> advantage
> ​
> of the cryptographic random ​
> > > number facility provided by Windows.
> > >
> > > Any extension developers using mt_rand() to generate random numbers in
> > > contexts where security is required are encouraged to instead
> ​ make use​
>
> > > of the MWCryptRand class introduced with this release.
> > >
> > > For more details, see
> ​> ​
> > https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
> >
> > I came across this mail and found this link still not viewable.
>
> Surely this reply was a mistake?


​No? Just overly-quoted.

J.
--
James D. Forrester
Product Manager, VisualEditor
Wikimedia Foundation, Inc.

jforrester [at] wikimedia | @jdforrester
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


jforrester at wikimedia

May 9, 2014, 12:44 AM

Post #6 of 6 (146 views)
Permalink
Re: MediaWiki 1.19.0beta2 [In reply to]

On 8 May 2014 23:46, Liangent <liangent [at] gmail> wrote:

> On Mar 23, 2012 3:38 AM, "Sam Reed" <reedy [at] wikimedia> wrote:
> > I'm happy to announce the availability of the second beta release of the
> > new MediaWiki 1.19 release series.


​[Snip]​


> > George Argyros and Aggelos Kiayias reported that the method used to
> ​>
> generate
> ​
> password reset tokens is not sufficiently secure. Instead we​
> > use various more secure random number generators, depending on
> > what is available on the platform. Windows users are strongly advised
> > to install either th
> ​e​
> openssl extension or the mcrypt extension
> ​ for PHP​
>
> > so that MediaWiki can take
> ​ ​
> advantage
> ​
> of the cryptographic random ​
> > number facility provided by Windows.
> >
> > Any extension developers using mt_rand() to generate random numbers in
> > contexts where security is required are encouraged to instead
> ​ make use​
>
> > of the MWCryptRand class introduced with this release.
> >
> > For more details, see
> ​
> > https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
>
> I came across this mail and found this link still not viewable.
>

​I've asked on the bug whether it's OK to making it public again.

J.
--
James D. Forrester
Product Manager, VisualEditor
Wikimedia Foundation, Inc.

jforrester [at] wikimedia | @jdforrester
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.