Page MenuHomePhabricator
Create Task
Maniphest T124940

MediaWiki 1.26.3 security release
Closed, ResolvedPublic
Actions

Assigned To
demon
Authored By
csteipp
Jan 27 2016, 6:30 PM
Tags
Referenced Files
F3997267: T130947-1.26.patch
May 11 2016, 10:06 PM
F3997247: T130947-1.23.patch
May 11 2016, 10:02 PM
F3997145: T130947-1.26.patch
May 11 2016, 9:45 PM
F3997066: T125283-REL1_25.patch
May 11 2016, 9:20 PM
F3997065: T125283-REL1_23.patch
May 11 2016, 9:20 PM
F3997064: T125283-master.patch
May 11 2016, 9:20 PM
F3997067: T125283-REL1_26.patch
May 11 2016, 9:20 PM
F3992997: T116030-REL1_26.patch
May 10 2016, 10:35 PM
View All 75 Files
Subscribers
Aklapper
Bawolff
csteipp
demon
dpatrick
greg
Krenair
View All 9 Subscribers
Tokens
"Barnstar" token, awarded by greg.

Description

Getting time for another one

MW Versions: 1.26.3/1.25.6/1.23.14

REL1_23REL1_25REL1_26REL1_27/master
T122056: Old tokens are remaining valid within a new session
T122056-REL1_23.patch1 KBDownload
T122056-REL1_25.patch1 KBDownload
T122056-REL1_26.patch1 KBDownload
T122056-master.patch1 KBDownload
T127114: Login throttle can be tricked using non-canonicalized usernames
T127114-REL1_23.patch1 KBDownload
T127114-REL1_25.patch1 KBDownload
T127114-REL1_26.patch1 KBDownload
T127114-master.patch1 KBDownload
T127420: Pbkdf2Password does not check if hash_pbkdf2() succeededno pbkdf2
T127420-REL1_25.patch2 KBDownload
T127420-REL1_26.patch2 KBDownload
T127420-master.patch2 KBDownload
T123653: Cross-domain policy regexp is too narrow
T123653-REL1_23.patch2 KBDownload
T123653-REL1_25.patch3 KBDownload
T123653-REL1_26.patch3 KBDownload
T123653-master.patch3 KBDownload
T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex
T123071-REL1_23.patch1 KBDownload
T123071-REL1_25.patch1 KBDownload
T123071-REL1_26.patch1 KBDownload
T123071-master.patch2 KBDownload
T129506: MediaWiki:Gadget-popups.js isn't renderable
T129506_00_MediaWiki_REL1_23.patch1 KBDownload
T129506_00_MediaWiki_REL1_25.patch1 KBDownload
T129506_00_MediaWiki_REL1_26.patch1 KBDownload
T129506_00_MediaWiki_master.patch1 KBDownload
T126685: Globally throttle password attempts
T126685-REL1_23.patch1 KBDownload
T126685-REL1_25.patch1 KBDownload
T126685-REL1_26.patch1 KBDownload
already there
T125283: Users occasionally logged in as different users after SessionManager deployment
T125283-REL1_23.patch1 KBDownload
T125283-REL1_25.patch1 KBDownload
T125283-REL1_26.patch1 KBDownload
T125283-master.patch1 KBDownload
T116030: Increase pbkdf2 parameter strengths (2015/2016)no pbkdf2
T116030-REL1_25.patch892 BDownload
T116030-REL1_26.patch892 BDownload
already there
T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags
T110143b-REL1_23.patch4 KBDownload
,
T110143-highlight-REL1_25.patch1 KBDownload
T110143b-REL1_25.patch4 KBDownload
,
T110143-highlight-REL1_25.patch1 KBDownload
T110143b-REL1_26.patch3 KBDownload
,
T110143-highlight-master.patch1 KBDownload
T110143b-master.patch3 KBDownload
,
T110143-highlight-master.patch1 KBDownload
T103239: Patrol allows click catching and patrolling of any page
T103239-REL1_23.patch2 KBDownload
T103239-REL1_26.patch2 KBDownload
T103239-REL1_26.patch2 KBDownload
T103239-master.patch2 KBDownload
T122807: [tracking] Check php crypto primatives
T122807-REL1_23.patch1 KBDownload
T122807-REL1_26.patch1 KBDownload
T122807-REL1_26.patch1 KBDownload
T122807-master.patch1 KBDownload
T98313: Graphs can leak tokens, leading to CSRF
T98313-REL1_23.patch5 KBDownload
T98313-REL1_25.patch5 KBDownload
T98313-REL1_25.patch5 KBDownload
T98313-master.patch5 KBDownload
T130947: Diff generation should use PoolCounter
T130947-1.26.patch1 KBDownload
T130947-1.26.patch1 KBDownload
T130947-1.26.patch1 KBDownload
Use pool counter for gen diffs with better error handling2 KBDownload
T133507: Careless use of $wgExternalLinkTarget is insecure
T133507-REL1_23.patch4 KBDownload
T133507-REL1_25.patch4 KBDownload
T133507-REL1_26.patch4 KBDownload
T133507-master.patch4 KBDownload
T132874: API action=move is not rate limited
T132874-REL1_23.patch1 KBDownload
T132874-REL1_25.patch1 KBDownload
T132874-REL1_26.patch1 KBDownload
T132874-master.patch1 KBDownload

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved demonT124940 MediaWiki 1.26.3 security release
 ResolvedYurikT98313 Graphs can leak tokens, leading to CSRF
 Resolved csteippT122807 [tracking] Check php crypto primatives
 Resolved csteippT103239 Patrol allows click catching and patrolling of any page
 ResolvedBawolffT110143 strip markers can be used to get around html attribute escaping in (many?) parser tags
 Resolved csteippT116030 Increase pbkdf2 parameter strengths (2015/2016)
 ResolvedNoneT127396 Logins with CentralAuth fail when password re-hashed
 Resolved csteippT125283 Users occasionally logged in as different users after SessionManager deployment
 ResolvedBawolffT126685 Globally throttle password attempts
 Resolved dpatrickT129506 MediaWiki:Gadget-popups.js isn't renderable
 Resolved csteippT123071 Incorrectly identifying http link in a's href attributes, due to m modifier in regex
 Resolved dpatrickT123653 Cross-domain policy regexp is too narrow
 Resolved csteippT127420 Pbkdf2Password does not check if hash_pbkdf2() succeeded
 Resolved demonT127114 Login throttle can be tricked using non-canonicalized usernames
 Resolved csteippT122056 Old tokens are remaining valid within a new session
 ResolvedLegoktmT128695 Block::updateTimestamp() updates expiry of all blocks for the IP
 ResolvedDannyS712T257393 Local block of 180.214.232.49 not expiring on outreach.wikimedia
 Resolved csteippT130947 Diff generation should use PoolCounter
 Resolved csteippT133507 Careless use of $wgExternalLinkTarget is insecure
 Resolved csteippT132874 API action=move is not rate limited

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
demon added a subtask: T127114: Login throttle can be tricked using non-canonicalized usernames.Apr 14 2016, 6:51 PM
demon closed subtask T127114: Login throttle can be tricked using non-canonicalized usernames as Resolved.
csteipp added a subtask: T132874: API action=move is not rate limited.Apr 18 2016, 3:30 PM
csteipp removed a subtask: T132874: API action=move is not rate limited.Apr 19 2016, 5:09 PM
csteipp removed a subtask: T130384: CentralAuth doesn't check if given valid but unusable name.
csteipp closed subtask T125283: Users occasionally logged in as different users after SessionManager deployment as Resolved.Apr 19 2016, 5:13 PM
csteipp removed a subtask: Restricted Task.Apr 19 2016, 5:17 PM
csteipp removed a subtask: T125684: Wikidata description on mobile search and Special:Nearby is not escaped.Apr 19 2016, 5:20 PM
demon removed a subtask: T125290: CentralAuthUser::validateAuthToken should use constant-time string comparison.Apr 19 2016, 5:28 PM
Bawolff added a subtask: T122056: Old tokens are remaining valid within a new session.Apr 20 2016, 11:18 AM
demon updated the task description. (Show Details)Apr 20 2016, 3:09 PM
demon updated the task description. (Show Details)Apr 20 2016, 4:28 PM
demon updated the task description. (Show Details)Apr 20 2016, 4:48 PM
demon updated the task description. (Show Details)Apr 20 2016, 5:00 PM
demon updated the task description. (Show Details)Apr 20 2016, 7:55 PM
Bawolff added a subtask: T128695: Block::updateTimestamp() updates expiry of all blocks for the IP.Apr 22 2016, 8:47 PM
csteipp added a comment.Apr 25 2016, 3:25 PM

Patches for T122807: [tracking] Check php crypto primatives

T122807-REL1_26.patch1 KBDownload

T122807-master.patch1 KBDownload

T122807-REL1_23.patch1 KBDownload

csteipp updated the task description. (Show Details)Apr 25 2016, 3:27 PM
demon updated the task description. (Show Details)Apr 25 2016, 4:48 PM
csteipp added a comment.Apr 25 2016, 5:45 PM

Patches for T103239: Patrol allows click catching and patrolling of any page

T103239-master.patch2 KBDownload

T103239-REL1_26.patch2 KBDownload

T103239-REL1_23.patch2 KBDownload

csteipp updated the task description. (Show Details)Apr 25 2016, 5:46 PM
MaxSem added a subtask: T130947: Diff generation should use PoolCounter.Apr 25 2016, 7:08 PM
MaxSem updated the task description. (Show Details)
MaxSem updated the task description. (Show Details)Apr 25 2016, 9:24 PM
csteipp added a comment.Apr 25 2016, 9:36 PM

Patches for T98313

T98313-master.patch5 KBDownload

T98313-REL1_25.patch5 KBDownload

T98313-REL1_23.patch5 KBDownload

csteipp updated the task description. (Show Details)Apr 25 2016, 9:37 PM
csteipp added a comment.Apr 25 2016, 9:52 PM

Patches for 1.26 and master for T110143.

T110143b-master.patch3 KBDownload

T110143-highlight-master.patch1 KBDownload

T110143-scribunto-master.patch5 KBDownload

T110143b-REL1_26.patch3 KBDownload

csteipp updated the task description. (Show Details)Apr 25 2016, 9:54 PM
MaxSem updated the task description. (Show Details)Apr 25 2016, 10:16 PM
csteipp added a comment.Apr 25 2016, 11:06 PM

Patches for 1.25 and most of 1.23 (missing scribunto)

T110143b-REL1_23.patch4 KBDownload

T110143b-REL1_25.patch4 KBDownload

T110143-highlight-REL1_25.patch1 KBDownload

csteipp updated the task description. (Show Details)Apr 25 2016, 11:09 PM
csteipp updated the task description. (Show Details)Apr 26 2016, 12:41 AM
demon updated the task description. (Show Details)Apr 26 2016, 4:49 PM
demon updated the task description. (Show Details)Apr 26 2016, 4:58 PM
demon updated the task description. (Show Details)
demon updated the task description. (Show Details)Apr 26 2016, 6:28 PM
demon updated the task description. (Show Details)Apr 26 2016, 6:44 PM
csteipp added a comment.Apr 26 2016, 7:24 PM

T110143-scribunto-REL1_25.patch5 KBDownload

csteipp updated the task description. (Show Details)Apr 26 2016, 7:24 PM
demon updated the task description. (Show Details)Apr 26 2016, 7:56 PM
csteipp added a comment.Apr 26 2016, 8:58 PM

T110143-scribunto-REL1_23.patch5 KBDownload

csteipp updated the task description. (Show Details)Apr 26 2016, 8:58 PM
csteipp updated the task description. (Show Details)Apr 27 2016, 6:51 PM
Bawolff subscribed.Apr 29 2016, 10:18 PM

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Bawolff added a subtask: T133507: Careless use of $wgExternalLinkTarget is insecure.Apr 29 2016, 10:19 PM
demon added a comment.Apr 29 2016, 10:50 PM
In T124940#2252682, @Bawolff wrote:

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Considering we missed our proposed deadline of this week, I don't see why not. Go ahead and add them to the table.

dpatrick updated the task description. (Show Details)Apr 29 2016, 11:56 PM
dpatrick updated the task description. (Show Details)
Bawolff updated the task description. (Show Details)May 2 2016, 5:10 AM
Bawolff removed a subscriber: StudiesWorld.
Bawolff added a comment.May 2 2016, 5:18 AM

I removed StudiesWorld from being subscribed to this bug. If I understand correctly, him being subscribed gave him access to all the patches attached to this bug, which was probably bad... (That said, he appears to be just a curious Wikipedian who found herald, so probably not too big a deal)

Krenair added a comment.May 2 2016, 2:45 PM

I also removed them from several other private tasks visible to subscribers: {T121058} {T127646} {T123811} {T127823}

csteipp closed subtask T122056: Old tokens are remaining valid within a new session as Resolved.May 5 2016, 6:03 PM
csteipp closed subtask T130947: Diff generation should use PoolCounter as Resolved.May 5 2016, 6:24 PM
csteipp closed subtask T129506: MediaWiki:Gadget-popups.js isn't renderable as Resolved.
csteipp closed subtask T133507: Careless use of $wgExternalLinkTarget is insecure as Resolved.May 5 2016, 6:48 PM
csteipp added subscribers: dpatrick, MaxSem.May 5 2016, 6:54 PM

@dpatrick / @Bawolff / @MaxSem - All those patches are deployed now. Can you all make sure you have 'SECURITY: ' at the start of the commit summary? Makes it easier to see on the cluster what's been added on top of master when deploying, and probably good to be consistent when we push these into master.

csteipp added a comment.May 5 2016, 6:55 PM

@MaxSem, are you able to do backports of the patch for T130947?

csteipp added a subtask: T132874: API action=move is not rate limited.May 5 2016, 7:32 PM
csteipp updated the task description. (Show Details)

I'll do the backports of T132874 today or tomorrow

Bawolff updated the task description. (Show Details)May 9 2016, 8:03 AM
Bawolff updated the task description. (Show Details)May 9 2016, 8:08 AM
csteipp moved this task from Epics in progress to In Progress on the Security-Team board.May 9 2016, 6:17 PM
demon updated the task description. (Show Details)May 10 2016, 9:19 PM
csteipp added a subtask: T134863: Reflected XSS in GlobalGroupPermissions.May 10 2016, 9:20 PM

csteipp added a blocking task: T134863: Reflected XSS in GlobalGroupPermissions.

Adding this here as a reminder we need to release this, but the tarball doesn't really rely on this. We can do it any time.

demon updated the task description. (Show Details)May 10 2016, 9:27 PM
demon updated the task description. (Show Details)May 10 2016, 10:15 PM
demon updated the task description. (Show Details)May 10 2016, 10:35 PM
dpatrick updated the task description. (Show Details)May 11 2016, 9:20 PM
MaxSem added a comment.May 11 2016, 9:45 PM

T130947: patch for 1.25-25 is

T130947-1.26.patch1 KBDownload

MaxSem updated the task description. (Show Details)May 11 2016, 9:46 PM
demon added a comment.May 11 2016, 10:01 PM

It also applies to REL1_23 when using --3way, so we can attach that too.

demon added a comment.May 11 2016, 10:02 PM

Although we should amend these to use array() syntax and not [].

MaxSem updated the task description. (Show Details)May 11 2016, 10:02 PM
MaxSem updated the task description. (Show Details)May 11 2016, 10:06 PM
greg awarded a token.May 12 2016, 12:52 AM
csteipp reopened subtask T127114: Login throttle can be tricked using non-canonicalized usernames as Open.May 17 2016, 12:46 AM
csteipp closed subtask T127114: Login throttle can be tricked using non-canonicalized usernames as Resolved.May 18 2016, 12:16 AM
demon updated the task description. (Show Details)May 18 2016, 6:37 PM
demon updated the task description. (Show Details)May 18 2016, 7:05 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:23 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:24 PM
demon removed a subtask: T134863: Reflected XSS in GlobalGroupPermissions.May 20 2016, 6:27 PM
demon closed this task as Resolved.May 25 2016, 4:39 PM
demon claimed this task.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:06 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL