Opened 7 years ago
Closed 5 years ago
#1819 closed defect (duplicate)
wiki configuration downlevel WRT security releases
|Reported by:||tomroche||Owned by:||christian|
The OSGeo wiki is significantly downlevel from latest security updates for several components that I can see, and possibly others I can't (notably Debian). This should be fixed ASAP--running downlevel code is a good way to get hacked, which is always bad public relations (PR)--either by "just doing it" on our own host, or renting from a Semantic MediaWiki provider.
Apologies if this has already been discussed on security-priv, but I can't see its archives (by design). I also don't see
- another ticket discussing this (apologies if I missed something in search)
- another way to non-publicly share a security concern with OSGeo (ditto)
Currently, per Special:Version the OSGeo wiki has
|MediaWiki||1.25.3||1.27.1 (per top of current Recent News)|
|PHP||5.3.3-7+squeeze29||5.6.28 (per top of current News Archive)|
|MySQL||5.1.73-1+deb6u1||5.7.x? am checking, will comment this ticket|
|Semantic MediaWiki||2.3||2.4.1 (per its page)|
|Semantic Forms||3.4||4.0.1 (see note following)|
|Semantic Maps||3.2||4.0 (see note following)|
|Semantic Result Formats||2.3||2.4 (per its page)|
Note the above is an excerpt, not a complete list. But merely from the above, this install is looking quite downlevel: e.g., MySQL 5.1 dates from 2008-9. Worse yet, if the wiki is on Debian 6/Squeeze (as suggested by the MySQL and PHP version names above), rather than the current-stable (Debian 8/Jessie), that's a major problem, which will almost certainly obstruct upgrading components above. Furthermore, note
- for forms support, the wiki currently has extension=
Semantic Forms@ version=
3.4. As noted at its page, this extension has been renamed to
Page Formsand its latest version=
- per its page, extension=
Semantic Mapshas also been moved/renamed to
Maps, for which latest version=4.0 (per its page).
I definitely understand that admin-ing is "real work," and it's work I don't have time to do. However, security of a world-readable service must not be ignored. If we lack the time/labor resources to keep security-uplevel, we should consider using one of the available Semantic MediaWiki providers--presuming they are security-uplevel, which we'd need to check. Unfortunately, if we wanna keep the
osgeo.org domain for the wiki, we would probably need to purchase Referata's ''Enterprise'' SLA, which is 80 $/mo. (Another provider is wikihoster.net, but their site is in German and mine is not good: all I can see is that a
.org domain will cost 30 €/mo in addition to something (it's an zusätzlichen fakultativen Leistungen, which ~= optional add-on), but I'm not sure what to add that to.) If the wiki could live inside someone else's domain, however, we could use (depending on data size) Referata's Basic/free service, or (if we qualify as "biology-related") Biowikifarm, which is run by a German public consortium with EU money.
Change History (4)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Regarding the insecurity of the current wikihost configuration, see this thread on SMW-users. Regarding contributors to that thread, note that Jeroen De Dauw is SMW's co-core developer and Karsten Hoffmeyer (kghbin) is the editor in chief of SMW's website and doc (as well as the operator of WikiHoster).
comment:3 by , 6 years ago
|Priority:||major → critical|
comment:4 by , 5 years ago
|Status:||new → closed|
Please refer to #2004 for wiki upgrade task.
More research, refactoring: see updated lists of
I'll continue updating status at that repo, and make comments with links on update (rather than copy/mod changes as comments).