Page MenuHomePhabricator

MediaWiki 1.26.3 security release
Closed, ResolvedPublic

Description

Getting time for another one

MW Versions: 1.26.3/1.25.6/1.23.14

REL1_23REL1_25REL1_26REL1_27/master
T122056: Old tokens are remaining valid within a new session
T127114: Login throttle can be tricked using non-canonicalized usernames
T127420: Pbkdf2Password does not check if hash_pbkdf2() succeededno pbkdf2
T123653: Cross-domain policy regexp is too narrow
T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex
T129506: MediaWiki:Gadget-popups.js isn't renderable
T126685: Globally throttle password attemptsalready there
T125283: Users occasionally logged in as different users after SessionManager deployment
T116030: Increase pbkdf2 parameter strengthsno pbkdf2already there
T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags,,,,
T103239: Patrol allows click catching and patrolling of any page
T122807: [tracking] Check php crypto primatives
T98313: Graphs can leak tokens, leading to CSRF
T130947: Diff generation should use PoolCounter
T133507: Careless use of $wgExternalLinkTarget is insecure
T132874: API action=move is not rate limited

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
csteipp removed a subtask: Restricted Task.Apr 19 2016, 5:17 PM
demon updated the task description. (Show Details)Apr 20 2016, 3:09 PM
demon updated the task description. (Show Details)Apr 20 2016, 4:28 PM
demon updated the task description. (Show Details)Apr 20 2016, 4:48 PM
demon updated the task description. (Show Details)Apr 20 2016, 5:00 PM
demon updated the task description. (Show Details)Apr 20 2016, 7:55 PM

Patches for T122807: [tracking] Check php crypto primatives

csteipp updated the task description. (Show Details)Apr 25 2016, 3:27 PM
demon updated the task description. (Show Details)Apr 25 2016, 4:48 PM

Patches for T103239: Patrol allows click catching and patrolling of any page

csteipp updated the task description. (Show Details)Apr 25 2016, 5:46 PM
MaxSem updated the task description. (Show Details)Apr 25 2016, 9:24 PM

Patches for T98313

csteipp updated the task description. (Show Details)Apr 25 2016, 9:37 PM

Patches for 1.26 and master for T110143.

csteipp updated the task description. (Show Details)Apr 25 2016, 9:54 PM
MaxSem updated the task description. (Show Details)Apr 25 2016, 10:16 PM

Patches for 1.25 and most of 1.23 (missing scribunto)

csteipp updated the task description. (Show Details)Apr 25 2016, 11:09 PM
csteipp updated the task description. (Show Details)Apr 26 2016, 12:41 AM
demon updated the task description. (Show Details)Apr 26 2016, 4:49 PM
demon updated the task description. (Show Details)Apr 26 2016, 4:58 PM
demon updated the task description. (Show Details)
demon updated the task description. (Show Details)Apr 26 2016, 6:28 PM
demon updated the task description. (Show Details)Apr 26 2016, 6:44 PM

csteipp updated the task description. (Show Details)Apr 26 2016, 7:24 PM
demon updated the task description. (Show Details)Apr 26 2016, 7:56 PM

csteipp updated the task description. (Show Details)Apr 26 2016, 8:58 PM
csteipp updated the task description. (Show Details)Apr 27 2016, 6:51 PM

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Is it too late for one more? I know this is really late in the game, but the underlying issue of T133507 has been trending on blogs, so it would be really cool to get it fixed in this release.

Patches in question for that bug are:

Considering we missed our proposed deadline of this week, I don't see why not. Go ahead and add them to the table.

dpatrick updated the task description. (Show Details)
Bawolff updated the task description. (Show Details)May 2 2016, 5:10 AM
Bawolff removed a subscriber: StudiesWorld.

I removed StudiesWorld from being subscribed to this bug. If I understand correctly, him being subscribed gave him access to all the patches attached to this bug, which was probably bad... (That said, he appears to be just a curious Wikipedian who found herald, so probably not too big a deal)

I also removed them from several other private tasks visible to subscribers: {T121058} {T127646} {T123811} {T127823}

@dpatrick / @Bawolff / @MaxSem - All those patches are deployed now. Can you all make sure you have 'SECURITY: ' at the start of the commit summary? Makes it easier to see on the cluster what's been added on top of master when deploying, and probably good to be consistent when we push these into master.

@MaxSem, are you able to do backports of the patch for T130947?

csteipp updated the task description. (Show Details)

I'll do the backports of T132874 today or tomorrow

Bawolff updated the task description. (Show Details)May 9 2016, 8:03 AM
Bawolff updated the task description. (Show Details)May 9 2016, 8:08 AM
demon updated the task description. (Show Details)May 10 2016, 9:19 PM

csteipp added a blocking task: T134863: Reflected XSS in GlobalGroupPermissions.

Adding this here as a reminder we need to release this, but the tarball doesn't really rely on this. We can do it any time.

demon updated the task description. (Show Details)May 10 2016, 9:27 PM
demon updated the task description. (Show Details)May 10 2016, 10:15 PM
demon updated the task description. (Show Details)May 10 2016, 10:35 PM
dpatrick updated the task description. (Show Details)May 11 2016, 9:20 PM

T130947: patch for 1.25-25 is

MaxSem updated the task description. (Show Details)May 11 2016, 9:46 PM

It also applies to REL1_23 when using --3way, so we can attach that too.

Although we should amend these to use array() syntax and not [].

MaxSem updated the task description. (Show Details)May 11 2016, 10:02 PM
MaxSem updated the task description. (Show Details)May 11 2016, 10:06 PM
greg awarded a token.May 12 2016, 12:52 AM
demon updated the task description. (Show Details)May 18 2016, 6:37 PM
demon updated the task description. (Show Details)May 18 2016, 7:05 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:23 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:24 PM
demon closed this task as Resolved.May 25 2016, 4:39 PM
demon claimed this task.