Page MenuHomePhabricator

MediaWiki 1.26.3 security release
Closed, ResolvedPublic

Description

Getting time for another one

MW Versions: 1.26.3/1.25.6/1.23.14

REL1_23REL1_25REL1_26REL1_27/master
T122056: Old tokens are remaining valid within a new session
T127114: Login throttle can be tricked using non-canonicalized usernames
T127420: Pbkdf2Password does not check if hash_pbkdf2() succeededno pbkdf2
T123653: Cross-domain policy regexp is too narrow
T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex
T129506: MediaWiki:Gadget-popups.js isn't renderable
T126685: Globally throttle password attemptsalready there
T125283: Users occasionally logged in as different users after SessionManager deployment
T116030: Increase pbkdf2 parameter strengths (2015/2016)no pbkdf2already there
T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags,,,,
T103239: Patrol allows click catching and patrolling of any page
T122807: [tracking] Check php crypto primatives
T98313: Graphs can leak tokens, leading to CSRF
T130947: Diff generation should use PoolCounter
T133507: Careless use of $wgExternalLinkTarget is insecure
T132874: API action=move is not rate limited

Related Objects

StatusSubtypeAssignedTask
Resolveddemon
ResolvedYurik
Resolvedcsteipp
Resolvedcsteipp
ResolvedBawolff
Resolvedcsteipp
ResolvedNone
Resolvedcsteipp
ResolvedBawolff
Resolved dpatrick
Resolvedcsteipp
Resolved dpatrick
Resolvedcsteipp
Resolveddemon
Resolvedcsteipp
ResolvedLegoktm
ResolvedDannyS712
Resolvedcsteipp
Resolvedcsteipp
Resolvedcsteipp

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
csteipp removed a subtask: Restricted Task.Apr 19 2016, 5:17 PM

Patches for T122807: [tracking] Check php crypto primatives

Patches for T103239: Patrol allows click catching and patrolling of any page

Patches for T98313

Patches for 1.26 and master for T110143.

Patches for 1.25 and most of 1.23 (missing scribunto)

demon updated the task description. (Show Details)

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Considering we missed our proposed deadline of this week, I don't see why not. Go ahead and add them to the table.

I removed StudiesWorld from being subscribed to this bug. If I understand correctly, him being subscribed gave him access to all the patches attached to this bug, which was probably bad... (That said, he appears to be just a curious Wikipedian who found herald, so probably not too big a deal)

I also removed them from several other private tasks visible to subscribers: {T121058} {T127646} {T123811} {T127823}

@dpatrick / @Bawolff / @MaxSem - All those patches are deployed now. Can you all make sure you have 'SECURITY: ' at the start of the commit summary? Makes it easier to see on the cluster what's been added on top of master when deploying, and probably good to be consistent when we push these into master.

@MaxSem, are you able to do backports of the patch for T130947?

csteipp added a blocking task: T134863: Reflected XSS in GlobalGroupPermissions.

Adding this here as a reminder we need to release this, but the tarball doesn't really rely on this. We can do it any time.

T130947: patch for 1.25-25 is

It also applies to REL1_23 when using --3way, so we can attach that too.

Although we should amend these to use array() syntax and not [].

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:23 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
demon claimed this task.