Page MenuHomePhabricator
Create Task
Maniphest T240393

Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1
Closed, ResolvedPublic
Actions

Description

Previous work T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release

Tracking bug for next security release

Maniphest IDCVE IDREL1_31REL1_33REL1_34master
T232932CVE-2020-10959n/an/a
0002-T232932-master.patch2 KBDownload
T246602CVE-2020-10960
0001-T246602-master.patch1 KBDownload

n.b. T246602 is a pretty minor issue, but should probably be included here anyways.

Related Objects
Search...

Event Timeline

Reedy created this task.Dec 10 2019, 10:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2019, 10:53 PM
Reedy added a project: MediaWiki-Releasing.Dec 10 2019, 10:57 PM
Reedy triaged this task as Medium priority.Dec 10 2019, 11:02 PM
Reedy renamed this task from Tracking bug for Release MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1.Dec 10 2019, 11:03 PM
Reedy added a subtask: T232932: User content can redirect the logout button to different URL (CVE-2020-10959).
Reedy added a subtask: T239466: Possible to circumvent title-blacklist (CVE-2019-19709).
sbassett mentioned this in T239466: Possible to circumvent title-blacklist (CVE-2019-19709).Dec 10 2019, 11:20 PM
Legoktm updated the task description. (Show Details)Dec 12 2019, 9:14 AM
Reedy removed a subtask: T239466: Possible to circumvent title-blacklist (CVE-2019-19709).Dec 12 2019, 12:07 PM
Reedy updated the task description. (Show Details)
Reedy renamed this task from Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.Jan 23 2020, 1:11 PM
Reedy updated the task description. (Show Details)
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
sbassett updated the task description. (Show Details)Feb 21 2020, 10:13 PM
sbassett added a subtask: T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 2 2020, 6:07 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 2 2020, 6:10 PM
sbassett added a subtask: T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960).Mar 2 2020, 11:25 PM
sbassett updated the task description. (Show Details)
Jdforrester-WMF subscribed.Mar 3 2020, 5:23 PM
sbassett mentioned this in T234104: PageTriage: Api allows spamming users with notifications.Mar 6 2020, 7:14 PM
sbassett added a subscriber: DannyS712.Mar 6 2020, 7:42 PM
Reedy removed a subtask: T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 10 2020, 2:13 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Mar 24 2020, 5:03 PM
Reedy closed subtask T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960) as Resolved.Mar 24 2020, 5:13 PM
Reedy closed subtask T232932: User content can redirect the logout button to different URL (CVE-2020-10959) as Resolved.Mar 24 2020, 5:32 PM
sbassett subscribed.EditedMar 25 2020, 2:55 AM

CVEs requested. Will update table in task description and task titles when I have the IDs.

Legoktm mentioned this in T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases.Mar 25 2020, 11:15 PM
Legoktm updated the task description. (Show Details)Mar 25 2020, 11:18 PM
Reedy mentioned this in T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2.Mar 26 2020, 12:34 AM
sbassett updated the task description. (Show Details)Mar 26 2020, 3:39 AM
Reedy closed this task as Resolved.Mar 26 2020, 5:41 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
DannyS712 changed the visibility from "Public (No Login Required)" to "Custom Policy".Mar 26 2020, 5:48 PM

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Reedy added a comment.Mar 26 2020, 6:34 PM
In T240393#6002789, @DannyS712 wrote:

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Considering the patch is already listed on https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html...

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 6:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL