[opensuse-wiki] openSUSE.org Security Alert
Hi Everyone, Last night, we received an alert of a possible XSS or iFrame injection issue somewhere on www.opensuse.org or one of the wikis. We temporarily redirected the site and wikis to a maintenance page for about an hour while we assessed the risk and impact of the alert. After learning a little more, we felt that it was not a legitimate alert, and we brought the site back up. I am still waiting on a full report, so that we can figure out what to do for a long term solution. As a precaution, I am working on an immediate upgrade path to the latest version of Mediawiki and its plugins. I will also be working on upgrading Apache to 2.2.21 on the www and wiki servers. -Matt
Hello, Am Freitag, 4. November 2011 schrieb Matthew Ehle:
As a precaution, I am working on an immediate upgrade path to the latest version of Mediawiki and its plugins. I will also be working on upgrading Apache to 2.2.21 on the www and wiki servers.
Now that the wiki code is hosted in git: You probably remember my recommendation to use a SVN checkout of the mediawiki stable branch [1] (which can be updated with a simple "svn up" or "svn switch" later, even without breaking local modifications). The upgrade would be a good opportunity to do that _now_, to make future upgrades easier. I have another request: Can you please install the ReplaceText extension? It would make several tasks much easier, for example the replacement of style= with class= in pages that are based on a page template. (The extension is by default only available to admins, and that's a good default IMHO.) See http://en.opensuse.org/Help:CSS_cleanup and http://en.opensuse.org/openSUSE:GCI_tasks#Replace_CSS_style_with_CSS_classes... for details about the cleanup plans. We hope a Google Code In participiant will do the cleanup in the templates. The CSS cleanup in the content pages based on a page template page will be done by a wiki admin (using the ReplaceText extension) - we don't want to give a newbie admin rights ;-) Regards, Christian Boltz [1] if you don't remember all details: - http://lists.opensuse.org/opensuse-wiki/2010-09/msg00053.html - http://lists.opensuse.org/opensuse-wiki/2010-09/msg00058.html - or just ask me ;-) -- ToFus entstehen oft aus der Bequemlichkeit des Anwenders heraus, der die Mail unbearbeitet dann übernimmt und seinen Senf ganz dick oben aufs Wurstbrot schmiert (oft auch, wenn Honig drunter war). [Thorsten Kettner in suse-linux] -- To unsubscribe, e-mail: opensuse-wiki+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-wiki+owner@opensuse.org
Hi Christian, I know you have suggested this before. In all honesty, it doesn't really matter whether I use subversion or not, especially with the way that we have to upgrade these wikis. Getting the MW core code is the easy part. I just download, extract, and move a couple of files over. The vast majority of the time is spent in downloading and installing the extensions. I use subversion for as many of them as I can, but that is suitable for maybe half of the extensions that we use. What would be most helpful is to re-evaluate the extensions that we are running and see if we can get rid of a couple. That would go a long way for making the upgrades easier. Thank you, Matt
Christian Boltz
11/6/2011 2:02 PM >>> Hello
Am Freitag, 4. November 2011 schrieb Matthew Ehle:
As a precaution, I am working on an immediate upgrade path to the latest version of Mediawiki and its plugins. I will also be working on upgrading Apache to 2.2.21 on the www and wiki servers.
Now that the wiki code is hosted in git: You probably remember my recommendation to use a SVN checkout of the mediawiki stable branch [1] (which can be updated with a simple "svn up" or "svn switch" later, even without breaking local modifications). The upgrade would be a good opportunity to do that _now_, to make future upgrades easier. I have another request: Can you please install the ReplaceText extension? It would make several tasks much easier, for example the replacement of style= with class= in pages that are based on a page template. (The extension is by default only available to admins, and that's a good default IMHO.) See http://en.opensuse.org/Help:CSS_cleanup and http://en.opensuse.org/openSUSE:GCI_tasks#Replace_CSS_style_with_CSS_classes... for details about the cleanup plans. We hope a Google Code In participiant will do the cleanup in the templates. The CSS cleanup in the content pages based on a page template page will be done by a wiki admin (using the ReplaceText extension) - we don't want to give a newbie admin rights ;-) Regards, Christian Boltz [1] if you don't remember all details: - http://lists.opensuse.org/opensuse-wiki/2010-09/msg00053.html - http://lists.opensuse.org/opensuse-wiki/2010-09/msg00058.html - or just ask me ;-) -- ToFus entstehen oft aus der Bequemlichkeit des Anwenders heraus, der die Mail unbearbeitet dann übernimmt und seinen Senf ganz dick oben aufs Wurstbrot schmiert (oft auch, wenn Honig drunter war). [Thorsten Kettner in suse-linux]
participants (2)
-
Christian Boltz
-
Matthew Ehle