Page MenuHomePhabricator
Create Task
Maniphest T168823

Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Bawolff
Jun 26 2017, 8:27 AM
Tags
Referenced Files
F10794169: T180488-REL1_30.patch
Nov 14 2017, 7:33 PM
F10794117: T180488-REL1_29.patch
Nov 14 2017, 7:33 PM
F10792561: 0001-SECURITY-Fix-rebase-error-in-4d38a489.patch
Nov 14 2017, 7:33 PM
F10774727: T134100-v4-REL1_27.patch
Nov 13 2017, 11:40 PM
F10774748: T134100-v4-REL1_30.patch
Nov 13 2017, 11:40 PM
F10774735: T134100-v4-REL1_28.patch
Nov 13 2017, 11:40 PM
F10774756: T134100-v4-master.patch
Nov 13 2017, 11:40 PM
F10774739: T134100-v4-REL1_29.patch
Nov 13 2017, 11:40 PM
View All 66 Files
Subscribers
Aklapper
Bawolff
CCicalese_WMF
Nikerabbit
Reedy

Description

Previous work: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release

Just a tracking bug for tasks that should be in the next security release.

Although 1.30 hasn't been released yet, security patches will need backporting for that too, though, hopefully, they shouldn't be too far away from the ones for HEAD of master...

Maniphest IDCVE IDREL1_27REL1_28REL1_29REL1_30master
T178451CVE-2017-8808
0001-T178451-REL1_27.patch2 KBDownload
0001-T178451-REL1_28.patch2 KBDownload
0001-T178451-REL1_29.patch2 KBDownload
0001-T178451-REL1_30.patch3 KBDownload
0001-T178451-master.patch2 KBDownload
T165846
0002-T165846-REL1_27.patch3 KBDownload
0002-T165846-REL1_28.patch3 KBDownload
0002-T165846-REL1_29.patch3 KBDownload
0002-T165846-REL1_30.patch3 KBDownload
0002-T165846-master.patch3 KBDownload
T128209CVE-2017-8809
T128209-REL1_27.patch6 KBDownload
T128209-REL1_28.patch6 KBDownload
T128209-REL1_29.patch6 KBDownload
T128209-REL1_30.patch6 KBDownload
T128209-master.patch6 KBDownload
T134100CVE-2017-8810
T134100-v4-REL1_27.patch2 KBDownload
T134100-v4-REL1_28.patch2 KBDownload
T134100-v4-REL1_29.patch2 KBDownload
T134100-v4-REL1_30.patch2 KBDownload
T134100-v4-master.patch2 KBDownload
T176247CVE-2017-8811
T176247-v2-REL1_27.patch2 KBDownload
T176247-v2-REL1_28.patch2 KBDownload
T176247-REL1_29.patch2 KBDownload
T176247-REL1_30.patch2 KBDownload
T176247-master.patch2 KBDownload
T125163CVE-2017-8812
T125163-REL1_27.patch1 KBDownload
T125163-REL1_28.patch1 KBDownload
T125163-REL1_29.patch1 KBDownload
gerrit 362326gerrit 362326
T180231/T180237CVE-2017-9841
T180237-REL1_27.patch3 KBDownload
T180231-REL1_27.patch1 KBDownload
T180237-REL1_28.patch3 KBDownload
T180231-REL1_28.patch1 KBDownload
T180237-REL1_29.patch3 KBDownload
T180231-REL1_29.patch1 KBDownload
T180237-REL1_30.patch3 KBDownload
T180231-REL1_30.patch1 KBDownload
T180237-master.patch3 KBDownload
T180231-master.patch1 KBDownload
T124404CVE-2017-8814
T124404-REL1_27.patch5 KBDownload
T124404-REL1_28.patch5 KBDownload
T124404-REL1_29.patch5 KBDownload
T124404-REL1_30.patch5 KBDownload
T124404-master.patch5 KBDownload
T119158CVE-2017-8815
T119158-REL1_27.patch4 KBDownload
T119158-REL1_28.patch4 KBDownload
T119158-REL1_29.patch4 KBDownload
T119158-REL1_30.patch4 KBDownload
T119158-master.patch4 KBDownload
T180488CVE-2017-0361n/an/a
T180488-REL1_29.patch1 KBDownload
T180488-REL1_30.patch1 KBDownload
0001-SECURITY-Fix-rebase-error-in-4d38a489.patch1 KBDownload

Vendor
Should trivially cherry pick onto all branches

0001-SECURITY-Add-.htaccess-to-disallow-web-access.patch800 BDownload

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReedyT180272 Release MediaWiki 1.27.4/1.28.3/1.29.2
 Resolved demonT169127 Release MediaWiki 1.30
 ResolvedReedyT168823 Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
 ResolvedBawolffT128209 Reflected File Download from api.php
 ResolvedAnomieT165846 BotPasswords doesn't throttle login attempts
 ResolvedBawolffT134100 On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password
 ResolvedBawolffT178451 XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping
 ResolvedMaxSemT176247 It's possible to mangle HTML via raw message parameter expansion
 ResolvedMoritzMuehlenhoffT179609 Obtain CVE's for 1.27.4/1.29.2 security releases
 ResolvedMaxSemT125163 id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812)
 ResolvedReedyT180231 MW 1.27 and 1.28 require-dev versions of phpunit with known security issues
 ResolvedReedyT180232 Document to run composer with `--no-dev`
 DeclinedNoneT180233 Set `no-dev` as the default config in composer.json
 DeclinedNoneT180235 Run composer with `--dev` flag
 ResolvedLegoktmT180237 Have composer create a .htaccess file in vendor director
 ResolvedBawolffT124404 language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814)
 ResolvedBawolffT119158 Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)
 ResolvedAnomieT180488 api.log still contains passwords in plaintext due to a rebase error in 4d38a489

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 26 2017, 8:27 AM
Bawolff added a project: MW-1.28-release.Jun 26 2017, 8:27 AM
Bawolff added a subtask: T128209: Reflected File Download from api.php.Jun 26 2017, 9:08 AM
Bawolff added a subtask: T165846: BotPasswords doesn't throttle login attempts.Jun 28 2017, 1:22 PM
Bawolff added a subtask: T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.
Reedy added projects: MW-1.27-release, MW-1.29-release.Jul 4 2017, 8:06 PM
Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jul 4 2017, 8:11 PM
Aklapper renamed this task from Tracking bug for 1.28.3/1.27.4 (And maybe 1.29.1) Security release to Tracking bug for 1.28.3/1.27.4 (And maybe 1.29.2) Security release.Sep 25 2017, 11:01 AM
Nikerabbit subscribed.Oct 3 2017, 2:11 PM
Bawolff added a subtask: T178451: XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping.Oct 18 2017, 5:12 PM
dpatrick added a subtask: T176247: It's possible to mangle HTML via raw message parameter expansion.Nov 1 2017, 5:34 PM
Reedy renamed this task from Tracking bug for 1.28.3/1.27.4 (And maybe 1.29.2) Security release to Tracking bug for 1.27.4/1.29.2 security releases.Nov 1 2017, 10:56 PM
Reedy removed a project: MW-1.28-release.
Reedy subscribed.

1.28.3 removed due to https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000214.html

Reedy added a project: MW-1.30-release.Nov 1 2017, 10:59 PM
Reedy updated the task description. (Show Details)
Reedy created subtask T179609: Obtain CVE's for 1.27.4/1.29.2 security releases.Nov 2 2017, 7:37 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Nov 2 2017, 7:41 PM
Reedy updated the task description. (Show Details)Nov 2 2017, 8:01 PM
Reedy updated the task description. (Show Details)Nov 2 2017, 10:41 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Nov 2 2017, 11:57 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Nov 5 2017, 12:11 AM

? over 1.28.3 over at T179780: Consider releasing MediaWiki 1.28.3

demon added a subscriber: CCicalese_WMF.Nov 7 2017, 7:47 PM
dpatrick updated the task description. (Show Details)Nov 8 2017, 5:51 PM
dpatrick added a subtask: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).
dpatrick updated the task description. (Show Details)Nov 8 2017, 5:58 PM
Bawolff updated the task description. (Show Details)Nov 9 2017, 9:11 PM
Reedy renamed this task from Tracking bug for 1.27.4/1.29.2 security releases to Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 10 2017, 8:13 PM
Reedy created subtask T180268: Write release announcements for 1.27.4/1.28.3/1.29.2 security releases.
Reedy added a project: MW-1.28-release.
Reedy updated the task description. (Show Details)Nov 10 2017, 8:54 PM
Reedy added a subtask: T180231: MW 1.27 and 1.28 require-dev versions of phpunit with known security issues.
Reedy updated the task description. (Show Details)Nov 10 2017, 10:21 PM
Reedy updated the task description. (Show Details)Nov 10 2017, 10:52 PM
Reedy updated the task description. (Show Details)Nov 10 2017, 11:19 PM
Reedy added a parent task: T180272: Release MediaWiki 1.27.4/1.28.3/1.29.2.Nov 10 2017, 11:27 PM
Reedy removed a subtask: T180268: Write release announcements for 1.27.4/1.28.3/1.29.2 security releases.
Reedy updated the task description. (Show Details)Nov 11 2017, 12:28 AM
Reedy updated the task description. (Show Details)Nov 11 2017, 12:44 AM
Reedy updated the task description. (Show Details)Nov 11 2017, 12:52 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Nov 11 2017, 1:02 AM
Reedy updated the task description. (Show Details)Nov 11 2017, 1:19 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Nov 11 2017, 1:26 AM

When we have a complete complement of cherry-picks/rebases... These patches need rebasing, RELEASE-NOTES adding where missing and stacking in a patch order

Reedy updated the task description. (Show Details)Nov 11 2017, 1:48 AM
Reedy closed subtask T178451: XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping as Resolved.Nov 13 2017, 4:18 PM
Reedy closed subtask T165846: BotPasswords doesn't throttle login attempts as Resolved.
Reedy closed subtask T128209: Reflected File Download from api.php as Resolved.
Bawolff updated the task description. (Show Details)Nov 13 2017, 4:29 PM
Bawolff updated the task description. (Show Details)Nov 13 2017, 4:32 PM
Reedy closed subtask T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password as Resolved.Nov 13 2017, 5:09 PM
Bawolff updated the task description. (Show Details)Nov 13 2017, 5:26 PM
Bawolff closed subtask T176247: It's possible to mangle HTML via raw message parameter expansion as Resolved.
Reedy updated the task description. (Show Details)Nov 13 2017, 5:57 PM
Reedy closed subtask T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812) as Resolved.
Bawolff added a subtask: T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814).Nov 13 2017, 6:15 PM
Bawolff added a subtask: T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815).
Reedy updated the task description. (Show Details)Nov 13 2017, 6:20 PM
Bawolff updated the task description. (Show Details)Nov 13 2017, 6:33 PM
Bawolff added a comment.Nov 13 2017, 6:43 PM

Note, that T124404 and T119158 conflict with each other. T124404 should be applied first.

Reedy closed subtask T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) as Resolved.Nov 13 2017, 7:36 PM
Bawolff updated the task description. (Show Details)Nov 13 2017, 8:22 PM
Reedy closed subtask T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815) as Resolved.Nov 13 2017, 8:29 PM
Reedy added a parent task: T169127: Release MediaWiki 1.30.Nov 13 2017, 10:36 PM
Tgr reopened subtask T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password as Open.Nov 13 2017, 10:37 PM
Bawolff updated the task description. (Show Details)Nov 13 2017, 11:40 PM
Bawolff closed subtask T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password as Resolved.
Reedy added a subtask: T180488: api.log still contains passwords in plaintext due to a rebase error in 4d38a489.Nov 14 2017, 4:31 PM
Reedy closed subtask T179609: Obtain CVE's for 1.27.4/1.29.2 security releases as Resolved.Nov 14 2017, 5:24 PM
Bawolff updated the task description. (Show Details)Nov 14 2017, 5:38 PM
Reedy updated the task description. (Show Details)Nov 14 2017, 7:33 PM
Reedy closed subtask T180488: api.log still contains passwords in plaintext due to a rebase error in 4d38a489 as Resolved.Nov 14 2017, 7:40 PM
Reedy closed subtask T180231: MW 1.27 and 1.28 require-dev versions of phpunit with known security issues as Resolved.Nov 14 2017, 11:03 PM
Reedy closed this task as Resolved.Nov 14 2017, 11:53 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Foxtrott reopened subtask T180231: MW 1.27 and 1.28 require-dev versions of phpunit with known security issues as Open.Nov 20 2017, 1:30 PM
Legoktm closed subtask T180231: MW 1.27 and 1.28 require-dev versions of phpunit with known security issues as Resolved.Nov 20 2017, 6:38 PM
Reedy mentioned this in T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 5:22 PM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL