It seems we currently make no effort to backport security fixes in extensions, so anyone using a supported MediaWiki release will get security updates for core but not for their extensions. This seems pretty bad and should be either fixed or some sort or warning mechanism should be set up so someone downloading a nominally supported extension version can get notified that it contains a security hole. Or at the very least we should put a very clear warning on the version support documentation page saying that there is no support whatsoever for extensions (Version_lifecycle#Extension_lifecycle_management kind of suggests the opposite now).
Uh... sorry, I probably had something specific in mind but I can't remember at all now what it was. Would sure have been nice if I had put it into the task description... please amend / close as invalid, if it's partially/completely wrong.
@greg No, not that I know of. Perhaps at https://wikitech.wikimedia.org/wiki/How_to_perform_security_fixes (which is out of date) or on some coding guidelines document on wikitech.
I have a couple of thoughts related to this. Ideally the backporting would be done by the person(s) submitting the patch for the fix, and the backport(s) should be required to be available at the same time as the original patch. This will make the security release process smoother.
Ive always tried to ensure fixes are backported for extension fixes im involved with, but we probably need to do better.
The story around extension security fixes in general is not great. No version numbers, no announcement list, no central list of fixed vulnerabilities.
As a maintainer of a MediaWiki distribution this is a very important topic to me. When I compile a distribution package I only use LTS branches of MediaWiki and extensions/skins (as log as they are available). The bundles extensions/skins are always at an up-to date state (good job!), but a lot of other extensions do not properly support the LTS branches. For non-bundled-WMF extensions (like "Echo") I always had the feeling that they are also supporting LTS branches. Most other extension developers seem not to follow this approach. Maybe WMF could start an initiative to encourage extension developers to at least maintain LTS branches. In own extensions I actually delete all branches that are not actively supported.