Page MenuHomePhabricator
Create Task
Maniphest T270466

Write and send supplementary release announcement for extensions and skins with security patches (1.31.13/1.35.2)
Closed, ResolvedPublic
Actions

Description

Previous work: T263810

Maniphest IDExtension or SkinCVE IDREL1_31REL1_35master
T270767CommentBoxCVE-2021-31550NoNoYes
T272333AbuseFilterCVE-2021-31548NoNoYes
T270142WikiLoveCVE-2021-31557YesYesYes
T259433PageFormsCVE-2021-31551NoYes, Yes, YesYes, Yes, Yes
T71617AbuseFilterCVE-2021-31546YesYesYes
T223654AbuseFilterCVE-2021-31547Yes, YesYes, YesYes, Yes
T71367AbuseFilterCVE-2021-31545YesYesYes
T272770RenameuserNo CVENoNoYes
T274152AbuseFilterCVE-2021-31549Yes, YesYes, YesYes, Yes
T275669CheckUserCVE-2021-31553Yes, YesYes, YesYes, Yes
T152394AbuseFilterCVE-2021-31552NoNoYes
T272244AbuseFilterCVE-2021-31554YesYesYes
T277380OAuthCVE-2021-31556YesYesYes
T277388OAuthCVE-2021-31555YesYesYes

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy subscribed.Dec 18 2020, 3:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 18 2020, 3:14 AM
Reedy added a parent task: T270458: Release MediaWiki 1.31.13/1.35.2.Dec 18 2020, 3:14 AM
DannyS712 updated the task description. (Show Details)Dec 18 2020, 3:22 AM
sbassett changed the task status from Open to Stalled.Dec 22 2020, 10:02 PM
sbassett claimed this task.
sbassett triaged this task as Low priority.
sbassett added a project: user-sbassett.
sbassett updated the task description. (Show Details)
sbassett added a project: Security-Team.Jan 4 2021, 5:04 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett moved this task from Backlog to Waiting on the user-sbassett board.Jan 4 2021, 5:06 PM
sbassett updated the task description. (Show Details)Jan 6 2021, 10:28 PM
sbassett updated the task description. (Show Details)Jan 22 2021, 3:42 PM
sbassett mentioned this in T259433: XSS issue in Extension:PageForms (CVE-2021-31551).Jan 22 2021, 3:48 PM
sbassett updated the task description. (Show Details)Jan 25 2021, 9:56 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 26 2021, 3:54 PM
sbassett updated the task description. (Show Details)Jan 26 2021, 4:28 PM
sbassett updated the task description. (Show Details)Feb 8 2021, 10:19 PM
sbassett mentioned this in T71617: AbuseFilter logs suppression deletions (CVE-2021-31546).
sbassett mentioned this in T223654: AbuseFilterCheckMatch API reveals suppressed edits and usernames (CVE-2021-31547).Feb 8 2021, 10:24 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 8 2021, 10:32 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 8 2021, 10:36 PM
sbassett mentioned this in T272770: Error while usurping an account.
sbassett updated the task description. (Show Details)Feb 9 2021, 7:30 PM
sbassett mentioned this in T274152: Special:AbuseFilter/examine reveals suppressed usernames (CVE-2021-31549).Feb 9 2021, 7:34 PM
sbassett updated the task description. (Show Details)Feb 25 2021, 5:04 PM
sbassett updated the task description. (Show Details)Feb 25 2021, 5:11 PM
sbassett updated the task description. (Show Details)Mar 9 2021, 10:30 PM
sbassett updated the task description. (Show Details)Mar 9 2021, 10:33 PM
sbassett updated the task description. (Show Details)Mar 9 2021, 10:37 PM
sbassett updated the task description. (Show Details)Mar 15 2021, 4:06 PM
sbassett updated the task description. (Show Details)Mar 22 2021, 9:12 PM
sbassett mentioned this in T272244: AbuseFilter blocks not working for account autocreations (CVE-2021-31554).
sbassett mentioned this in T279451: CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.Apr 7 2021, 5:43 PM
Reedy updated the task description. (Show Details)Apr 12 2021, 11:36 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Apr 12 2021, 11:40 PM

Not sure if we want to include them from MediaWiki-extensions-OAuth

{T277380}, T277388: OAuth doesn't validate length of oarc_version (CVE-2021-31555) etc

Reedy updated the task description. (Show Details)Apr 12 2021, 11:55 PM
Reedy updated the task description. (Show Details)Apr 12 2021, 11:59 PM
Reedy updated the task description. (Show Details)Apr 13 2021, 12:23 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 12:36 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 12:41 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 12:48 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 12:51 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 1:04 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Apr 13 2021, 1:17 AM
Reedy updated the task description. (Show Details)Apr 13 2021, 1:25 AM
DannyS712 mentioned this in T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Apr 13 2021, 2:02 AM
sbassett added a comment.Apr 13 2021, 3:43 PM
In T270466#6992575, @Reedy wrote:

Not sure if we want to include them from MediaWiki-extensions-OAuth

Yes, we probably should, since they aren't bundled in the tar ball releases. I'll add them. Hope to have the announcement out by the end of this week or sooner.

sbassett updated the task description. (Show Details)Apr 13 2021, 3:47 PM
sbassett updated the task description. (Show Details)Apr 13 2021, 3:52 PM
sbassett updated the task description. (Show Details)Apr 16 2021, 6:38 PM
sbassett updated the task description. (Show Details)Apr 16 2021, 6:47 PM
sbassett added a comment.EditedApr 16 2021, 7:49 PM

I've requested CVEs for:

  1. T270767 CommentBox
  2. T272333 AbuseFilter
  3. T270142 WikiLove
  4. T259433 PageForms
  5. T71617 AbuseFilter
  6. T223654 AbuseFilter
  7. T71367 AbuseFilter
  8. T274152 AbuseFilter
  9. T275669 CheckUser
  10. T152394 AbuseFilter
  11. T272244 AbuseFilter
  12. T277380 OAuth
  13. T277388 OAuth

I hope to have these confirmed from Mitre by early next week, at which time I will make this task public and send out the supplemental announcement to the relevant mailing lists.

sbassett updated the task description. (Show Details)Apr 17 2021, 12:56 AM
sbassett updated the task description. (Show Details)
sbassett added a comment.EditedApr 19 2021, 8:25 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.13/1.35.2)

Greetings-

With the security/maintenance release of MediaWiki 1.31.13/1.35.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

== CommentBox ==
+ (T270767, CVE-2021-31550) - Wg variables aren't validated by CommentBox - possible raw html insertion risk
< https://gerrit.wikimedia.org/r/651934 >

== AbuseFilter ==
+ (T272333, CVE-2021-31548) - Disallow the edit if blocking the user didn't succeed
< https://gerrit.wikimedia.org/r/657092 >

== WikiLove ==
+ (T270142, CVE-2021-31557) - mw.config.get( 'wikilove-anon' ) leaks the existence of hidden users
< https://gerrit.wikimedia.org/r/q/Ibcd87abe01719222beadcfc0de13038c3021adef >

== PageForms ==
+ (T259433, CVE-2021-31551) - XSS issue in Extension:PageForms
< https://gerrit.wikimedia.org/r/q/I5e0abbc2f80e6bda255b3b32a4df39a7fe7d3793 >
< https://gerrit.wikimedia.org/r/q/Ibe68b070ee791cd0c8e7f50eb04ac4e066b1512c >
< https://gerrit.wikimedia.org/r/q/I20b63bd38779d2ccbe2d86f9879df85ca3b685f6 >

== AbuseFilter ==
+ (T71617, CVE-2021-31546) - AbuseFilter logs suppression deletions
< https://gerrit.wikimedia.org/r/q/I38a0a24fa32ca7a052b6940864a32b3856e84553 >

== AbuseFilter ==
+ (T223654, CVE-2021-31547) - AbuseFilterCheckMatch API reveals suppressed edits and usernames
< https://gerrit.wikimedia.org/r/q/I4900b1be73323599d74e3164447f81eded094d75 >
< https://gerrit.wikimedia.org/r/q/I3f7dbd8b873d411e37c8c3aac2339bf5ec36907d >

== AbuseFilter ==
+ (T71367, CVE-2021-31545) - page_recent_contributors leaks revdeleted user names
< https://gerrit.wikimedia.org/r/q/I8d5ed9ca84282ee50832035af86123633fc88293 >

== AbuseFilter ==
+ (T274152, CVE-2021-31549) - Special:AbuseFilter/examine reveals suppressed usernames
< https://gerrit.wikimedia.org/r/q/I6063c02fa261c4cc0e6dbbb2db4e111eb85912c2 >
< https://gerrit.wikimedia.org/r/q/I71a6d521bd12931ce60eec4d2dc35af19146000f >

== CheckUser ==
+ (T275669, CVE-2021-31553) - Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will
< https://gerrit.wikimedia.org/r/666963 >
< https://gerrit.wikimedia.org/r/666964 >

== AbuseFilter ==
+ (T152394, CVE-2021-31552) - AbuseFilter privacy concerns on action == 'createaccount' and 'accountname'
< https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1 >

== AbuseFilter ==
+ (T272244, CVE-2021-31554) - AbuseFilter blocks not working for account autocreations
< https://gerrit.wikimedia.org/r/q/Ie1f4333d5b1c9d17fb2236fe38a31de427a4cc48 >

== OAuth ==
+ (T277380, CVE-2021-31556) - OAuth doesn't validate length of oarc_rsa_key
< https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9 >

== OAuth ==
+ (T277388, CVE-2021-31555) - OAuth doesn't validate length of oarc_version
< https://gerrit.wikimedia.org/r/q/I222c053b4b14ac1ad0f5b3a51565b1b9cd4c139d >

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.html
[1] https://phabricator.wikimedia.org/T270466
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett updated the task description. (Show Details)Apr 23 2021, 3:49 PM
sbassett updated the task description. (Show Details)Apr 23 2021, 6:48 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 23 2021, 6:53 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 23 2021, 6:55 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 23 2021, 7:01 PM
sbassett updated the task description. (Show Details)Apr 23 2021, 7:04 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 23 2021, 7:06 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett closed this task as Resolved.Apr 23 2021, 8:16 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

Sent.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000274.html
https://lists.wikimedia.org/pipermail/mediawiki-l/2021-April/048719.html
https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094453.html

sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Apr 23 2021, 8:16 PM
sbassett changed the edit policy from "acl*security (Project)" to "All Users".
sbassett moved this task from Waiting to Done on the user-sbassett board.
Ostrzyciel mentioned this in T281193: Security release of AbuseFilter 1.35 throws TypeError.Apr 27 2021, 6:23 AM
DannyS712 mentioned this in T270458: Release MediaWiki 1.31.13/1.35.2.Jun 5 2021, 8:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL