⚓ T333626 Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)

Maniphest ID	Extension or Skin	CVE ID	REL1_35	REL1_38	REL1_39	REL1_40	master
T333569	CheckUser	CVE-2023-37255	N/A	N/A	Yes	Yes	Yes
T333980	GoogleAnalyticsMetrics	CVE-2023-37251	Yes	Yes	Yes	Yes	Yes
T330968	CheckUser	CVE-2023-37252	Yes, Yes	Yes, Yes	Yes, Yes	Yes, Yes	Yes, Yes
T331311	Cargo	CVE-2023-37256	N/A	N/A	N/A	N/A	Yes
T331065	Cargo	CVE-2023-37254	N/A	N/A	N/A	N/A	Yes
T326952	ProofreadPage	CVE-2023-37253	No	Yes	Yes	Yes	Yes
T323651	DoubleWiki	CVE-2023-37304	No	No	No	No	Yes
T338276	CheckUser	CVE-2023-37303	Yes	Yes	Yes	Yes	Yes
T250720	Wikibase	CVE-2023-37301	No	No	No	No	Yes, Yes
T339111	Wikibase	CVE-2023-37302	No	No	No	No	Yes, Yes

Status	Assigned	Task
Resolved	Reedy	T330174 Formally EOL MW 1.38
Resolved	Reedy	T329075 Release MW 1.40.0
Resolved	Reedy	T333616 Release MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0
Resolved	Mstyles	T333626 Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)

Reedy added projects: Security, MediaWiki-Releasing.Mar 30 2023, 11:49 PM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 30 2023, 11:49 PM

Reedy added a parent task: T333616: Release MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0.Mar 30 2023, 11:49 PM

DannyS712 updated the task description. (Show Details)Apr 4 2023, 3:35 PM

DannyS712 subscribed.

DannyS712 unsubscribed.

sbassett changed the task status from Open to In Progress.Apr 4 2023, 7:47 PM

sbassett triaged this task as Medium priority.

sbassett updated the task description. (Show Details)

sbassett added subscribers: mmartorana, Mstyles.

sbassett subscribed.

sbassett updated the task description. (Show Details)Apr 4 2023, 7:55 PM

sbassett updated the task description. (Show Details)Apr 4 2023, 8:03 PM

sbassett mentioned this in T333569: CVE-2023-37255: Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.

sbassett added a subscriber: Dreamy_Jazz.

sbassett updated the task description. (Show Details)Apr 4 2023, 8:34 PM

sbassett mentioned this in T333980: CVE-2023-37251: GoogleAnalyticsMetrics extension - XSS.

sbassett added a subscriber: Bawolff.

sbassett updated the task description. (Show Details)Apr 4 2023, 8:37 PM

sbassett updated the task description. (Show Details)Apr 4 2023, 9:09 PM

sbassett added a project: user-sbassett.

sbassett moved this task from Backlog to In Progress on the user-sbassett board.

sbassett updated the task description. (Show Details)Apr 4 2023, 9:22 PM

Dreamy_Jazz updated the task description. (Show Details)Apr 4 2023, 9:24 PM

sbassett updated the task description. (Show Details)Apr 5 2023, 2:35 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)May 15 2023, 8:27 PM

sbassett updated the task description. (Show Details)May 15 2023, 8:30 PM

sbassett updated the task description. (Show Details)May 15 2023, 8:35 PM

Mstyles updated the task description. (Show Details)May 15 2023, 11:06 PM

sbassett mentioned this in T323651: CVE-2023-37304: XSS in DoubleWiki extension (Wikisource).May 30 2023, 5:51 PM

sbassett updated the task description. (Show Details)Jun 7 2023, 6:16 PM

sbassett mentioned this in T338276: CVE-2023-37303: Wikimedia\Rdbms\DBQueryDisconnectedError when blocking user.

sbassett mentioned this in T250720: CVE-2023-37301: Wikidata edit filter does not fire when test tool says it should.Jun 15 2023, 4:34 PM

sbassett updated the task description. (Show Details)Jun 15 2023, 4:37 PM

sbassett updated the task description. (Show Details)Jun 20 2023, 5:03 PM

sbassett mentioned this in T330968: CVE-2023-37252: Special:CheckUserLog shows usernames which have been hidden.

sbassett updated the task description. (Show Details)Jun 20 2023, 5:17 PM

sbassett mentioned this in T339111: CVE-2023-37302: Style injection into badges on Wikidata due to unescaped quotes.Jun 20 2023, 5:20 PM

Dreamy_Jazz updated the task description. (Show Details)Jun 20 2023, 6:18 PM

Dreamy_Jazz updated the task description. (Show Details)Jun 28 2023, 12:06 AM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz updated the task description. (Show Details)Jun 28 2023, 12:13 AM

Assigned CVE and backport duties for this report:

@mmartorana
T333569 - CheckUser
T333980 - GoogleAnalyticsMetrics
T330968 - CheckUser
T331311 - Cargo
T331065 - Cargo

@Mstyles
T326952 - ProofreadPage
T323651 - DoubleWiki
T338276 - CheckUser
T250720 - Wikibase
T339111 - Wikibase

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.11/1.38.7/1.39.4/1.40.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.11/1.38.7/1.39.4/1.40.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/

GoogleAnalyticsMetrics
+ (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in extension does not properly escape js in onclick handler and does not prevent using javascript urls.
https://gerrit.wikimedia.org/r/c/905661

CheckUser
+ (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which have been hidden.
https://gerrit.wikimedia.org/r/c/933686
https://gerrit.wikimedia.org/r/c/932822

Cargo
+ (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL fields, and automatically linking them.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679

Cargo
+ (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default format.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666

ProofreadPage
+ (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the API and config variables.
https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34

DoubleWiki
+ (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource).
https://gerrit.wikimedia.org/r/c/933666
https://gerrit.wikimedia.org/r/c/933667
https://gerrit.wikimedia.org/r/c/932825

CheckUser
+ (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when blocking user.
https://gerrit.wikimedia.org/r/c/932823

Wikibase
+ (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test tool says it should.
https://gerrit.wikimedia.org/r/c/933663

Wikibase
+ (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due to unescaped quotes.
https://gerrit.wikimedia.org/r/c/933649
https://gerrit.wikimedia.org/r/c/933650

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T333626
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana updated the task description. (Show Details)Jun 29 2023, 3:56 PM

We'll definitely want to have at least the master/main backport links in the table above ready prior to sending any email announcements.

Dreamy_Jazz updated the task description. (Show Details)Jun 29 2023, 5:54 PM

Mstyles updated the task description. (Show Details)Jun 29 2023, 6:01 PM

Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Jun 29 2023, 7:56 PM

Mstyles updated the task description. (Show Details)Jun 29 2023, 8:45 PM

mmartorana updated the task description. (Show Details)Jun 30 2023, 8:55 AM

Mstyles updated the task description. (Show Details)Jun 30 2023, 5:24 PM

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 30 2023, 6:17 PM

Mstyles changed the edit policy from "Subscribers" to "All Users".

Supplemental announcement is out!

Mstyles closed this task as Resolved.Jun 30 2023, 7:50 PM

Mstyles claimed this task.

Mstyles updated the task description. (Show Details)Jun 30 2023, 7:55 PM

sbassett removed a project: user-sbassett.Jul 5 2023, 8:24 PM

sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Jul 6 2023, 3:30 PM

Patches for REL1_35 for T330968 are yet to be merged (just as an FYI). I've added them to the list.

sbassett updated the task description. (Show Details)Jul 6 2023, 3:32 PM

(Thanks for fixing the edit conflict)

Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)
Closed, ResolvedPublic
Actions

Description

Related Objects
Search...

Event Timeline

Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)Closed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)
Closed, ResolvedPublic
Actions

Related Objects
Search...