Opened 4 years ago

Closed 2 years ago

#1819 closed defect (duplicate)

wiki configuration downlevel WRT security releases

Reported by: tomroche Owned by: christian
Priority: critical Milestone:
Component: Wiki Keywords:
Cc:

Description

summary

The OSGeo wiki is significantly downlevel from latest security updates for several components that I can see, and possibly others I can't (notably Debian). This should be fixed ASAP--running downlevel code is a good way to get hacked, which is always bad public relations (PR)--either by "just doing it" on our own host, or renting from a Semantic MediaWiki provider.

Apologies if this has already been discussed on security-priv, but I can't see its archives (by design). I also don't see

details

Currently, per Special:Version the OSGeo wiki has

component current version
name installed secure
MediaWiki1.25.31.27.1 (per top of current Recent News)
PHP5.3.3-7+squeeze295.6.28 (per top of current News Archive)
MySQL5.1.73-1+deb6u15.7.x? am checking, will comment this ticket
extension
name installed latest
Semantic MediaWiki2.32.4.1 (per its page)
Semantic Forms3.44.0.1 (see note following)
Semantic Maps3.24.0 (see note following)
Semantic Result Formats2.32.4 (per its page)

Note the above is an excerpt, not a complete list. But merely from the above, this install is looking quite downlevel: e.g., MySQL 5.1 dates from 2008-9. Worse yet, if the wiki is on Debian 6/Squeeze (as suggested by the MySQL and PHP version names above), rather than the current-stable (Debian 8/Jessie), that's a major problem, which will almost certainly obstruct upgrading components above. Furthermore, note

  • for forms support, the wiki currently has extension=Semantic Forms @ version=3.4. As noted at its page, this extension has been renamed to Page Forms and its latest version=4.0.1.
  • per its page, extension=Semantic Maps has also been moved/renamed to Maps, for which latest version=4.0 (per its page).

I definitely understand that admin-ing is "real work," and it's work I don't have time to do. However, security of a world-readable service must not be ignored. If we lack the time/labor resources to keep security-uplevel, we should consider using one of the available Semantic MediaWiki providers--presuming they are security-uplevel, which we'd need to check. Unfortunately, if we wanna keep the osgeo.org domain for the wiki, we would probably need to purchase Referata's ''Enterprise'' SLA, which is 80 $/mo. (Another provider is wikihoster.net, but their site is in German and mine is not good: all I can see is that a .org domain will cost 30 €/mo in addition to something (it's an zusätzlichen fakultativen Leistungen, which ~= optional add-on), but I'm not sure what to add that to.) If the wiki could live inside someone else's domain, however, we could use (depending on data size) Referata's Basic/free service, or (if we qualify as "biology-related") Biowikifarm, which is run by a German public consortium with EU money.

Change History (4)

comment:1 Changed 4 years ago by tomroche

More research, refactoring: see updated lists of

I'll continue updating status at that repo, and make comments with links on update (rather than copy/mod changes as comments).

comment:2 Changed 4 years ago by tomroche

Regarding the insecurity of the current wikihost configuration, see this thread on SMW-users. Regarding contributors to that thread, note that Jeroen De Dauw is SMW's co-core developer and Karsten Hoffmeyer (kghbin) is the editor in chief of SMW's website and doc (as well as the operator of WikiHoster).

comment:3 Changed 3 years ago by strk

Priority: majorcritical

comment:4 Changed 2 years ago by strk

Resolution: duplicate
Status: newclosed

Please refer to #2004 for wiki upgrade task.

Note: See TracTickets for help on using tickets.