MediaWiki 1.27.1 security release
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• csteipp
	Apr 19 2016, 5:17 PM

Description

This will probably happen several weeks after 1.27 is released.

MW Versions: 1.27.1/1.26.4/1.23.15. Note, 1.25 is already EOL.

Core

Maniphest ID	CVE ID	REL1_23	REL1_26	REL1_27	REL1_28/master
T115333	CVE-2016-6331	T115333-REL1_23.patch1 KBDownload	T115333-REL1_26.patch1 KBDownload	T115333-REL1_27.patch1 KBDownload	T115333-master.patch1 KBDownload
T129738	CVE-2016-6332	T129738-part1-REL1_231 KBDownload , T129738-part2-REL1_23.patch3 KBDownload	T129738-part1-REL1_26.patch1 KBDownload , T129738-part2-REL1_26.patch4 KBDownload	T129738-part1-REL1_27.patch1 KBDownload , T129738-part2-REL1_27.patch4 KBDownload	Make Blocks log out user in question if $wgBlockDisablesLogin is set1 KBDownload , [v3] Make wgBlockDisablesLogin restrict logged in users rights to anon4 KBDownload
T133147	CVE-2016-6333	T133147-part1-REL1_23.patch1 KBDownload , T133147-part2-REL1_23.patch1 KBDownload	T133147-part1-REL1_26.patch1 KBDownload , T133147-part2-REL1_26.patch1 KBDownload	T133147-part1-REL1_27.patch1 KBDownload , T133147-part2-REL1_27.patch1 KBDownload	T133147-part1-master.patch1 KBDownload , T133147-part2-master1 KBDownload
T137264	CVE-2016-6334	T137264-REL1_23.patch1 KBDownload	T137264-REL1_26.patch1 KBDownload	T137264-REL1_27.patch1 KBDownload	0001-SECURITY-XSS-in-unclosed-internal-links.patch1 KBDownload
T139570	CVE-2016-6335	T139565-REL1_23.patch2 KBDownload	T139565-REL1_26.patch2 KBDownload	T139565-REL1_27.patch1 KBDownload	Already present
T132926	CVE-2016-6336	T132926-REL1_23.patch1 KBDownload	T132926-REL1_26.patch1 KBDownload	T132926-REL1_26.patch1 KBDownload	T132926-master.patch1 KBDownload
T139670	CVE-2016-6337	n/a (no SessionManager)	n/a (no SessionManager)	0001-SECURITY-Move-UserGetRights-call-before-application-.patch3 KBDownload	0001-SECURITY-Move-UserGetRights-call-before-application-.patch3 KBDownload

Extensions

	REL1_23	REL1_26	REL1_27	REL1_28/master
T136402 [pdfHandler]	T136402-REL1_23.patch878 BDownload	0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload	0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload	0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload [master patch applies cleanly to everything except 1.23]

Details

	Subject	Repo	Branch	Lines +/-
	Gerrit: Make IPv6 optional	operations/puppet	production	+7 -5

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	• demon	T133070 MediaWiki 1.27.1 security release
Resolved	• demon	T57548 Html::expandAttributes can be tricked into omitting necessary quotes
Resolved	Bawolff	T129738 Blocked accounts on BlockDisablesLogin wikis aren't logged out
Resolved	• dpatrick	T137264 XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links
Resolved	Bawolff	T115333 API action=parse does not check-per title read permissions
Resolved	Bawolff	T136402 PdfHandler extension doesn't use -dSAFER option of ghostscript
Resolved	• dpatrick	T133147 XSS via CSS user subpage preview feature
Resolved	None	T139570 API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP
Resolved	Bawolff	T132926 Admins can get around oversight (suppression) of file revisions
Resolved	• dpatrick	T139670 Central auth global groups don't take session rights limit into account

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Removed REL1_25 column as it hit EOL already.

MaxSem renamed this task from MediaWiki 1.26.4 security release to MediaWiki 1.27.1 security release.Jun 29 2016, 5:03 PM

The two Flow patches do not block this release, they are not bundled. They should be pushed to all supported branches and announced (mediawiki-announce, I can help with this)

• dpatrick updated the task description. (Show Details)Jul 7 2016, 8:21 PM

• dpatrick added a subtask: T139570: API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP.

Bawolff added a subtask: T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException.Jul 7 2016, 8:53 PM

Bawolff added a subtask: T132926: Admins can get around oversight (suppression) of file revisions.Jul 7 2016, 9:22 PM

Legoktm updated the task description. (Show Details)Jul 7 2016, 10:48 PM

Jdforrester-WMF subscribed.Jul 7 2016, 11:41 PM

• dpatrick updated the task description. (Show Details)Jul 8 2016, 10:31 PM

• dpatrick added a subtask: T128695: Block::updateTimestamp() updates expiry of all blocks for the IP.

Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jul 10 2016, 5:45 PM

Bawolff added a subtask: T128624: Moving a page over redirect loses the protection settings for that page.Jul 10 2016, 5:48 PM

Bawolff added a subtask: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).Jul 10 2016, 6:06 PM

Bawolff closed subtask T139570: API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP as Resolved.Jul 18 2016, 7:50 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 8:32 AM

Bawolff removed a subtask: Restricted Task.Jul 18 2016, 8:36 AM

Bawolff removed a subtask: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).

Bawolff updated the task description. (Show Details)Jul 18 2016, 8:43 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 8:45 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 9:28 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 9:37 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 9:41 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 9:45 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 9:54 AM

Bawolff updated the task description. (Show Details)Jul 18 2016, 10:11 AM

• dpatrick added a subtask: T130384: CentralAuth doesn't check if given valid but unusable name.Jul 18 2016, 7:24 PM

Bawolff closed subtask T136402: PdfHandler extension doesn't use -dSAFER option of ghostscript as Resolved.Jul 18 2016, 10:22 PM

Bawolff closed subtask T115333: API action=parse does not check-per title read permissions as Resolved.Jul 18 2016, 10:24 PM

• dpatrick closed subtask T132926: Admins can get around oversight (suppression) of file revisions as Resolved.Jul 18 2016, 10:37 PM

Bawolff updated the task description. (Show Details)Jul 18 2016, 10:37 PM

• dpatrick closed subtask T133147: XSS via CSS user subpage preview feature as Resolved.Jul 18 2016, 10:44 PM

• dpatrick closed subtask T137593: Topics that are deleted then suppressed expose topic title in public deletion log as Resolved.Jul 18 2016, 10:49 PM

• dpatrick closed subtask T137288: Applying deletelogentry restrictions to flow deletion log entries does not work as Resolved.

Bawolff closed subtask T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out as Resolved.Jul 18 2016, 11:02 PM

• dpatrick updated the task description. (Show Details)Jul 18 2016, 11:02 PM

Flow, as an un-bundled extension, can be removed from this tracker. They should be fixed in all supported branches and announced widely. That's all we need for that.

• dpatrick updated the task description. (Show Details)Jul 20 2016, 7:28 PM

Anomie closed subtask T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException as Resolved.Jul 25 2016, 1:53 PM

Bawolff updated the task description. (Show Details)Aug 1 2016, 12:14 PM

Bawolff updated the task description. (Show Details)Aug 1 2016, 12:17 PM

• dpatrick updated the task description. (Show Details)Aug 1 2016, 5:41 PM

• dpatrick updated the task description. (Show Details)Aug 1 2016, 9:08 PM

• demon mentioned this in rOPUP4cdf19929cc7: Gerrit: Make IPv6 optional.Aug 1 2016, 10:15 PM

Dzahn mentioned this in rOPUP4a2af53fa670: Gerrit: Make IPv6 optional.Aug 1 2016, 10:32 PM

Dzahn mentioned this in rOPUP9c04e8d7f183: Gerrit: Make IPv6 optional.

• demon updated the task description. (Show Details)Aug 2 2016, 6:21 PM

T130384 is not a core change and not a bundled extension (it's CentralAuth). Let's remove it from the list, push to branches, and announce.

T133147-part2-REL1_23.patch1 KBDownload

doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

In T133070#2516274, @demon wrote:

T133147-part2-REL1_23.patch1 KBDownload
doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

I think that patch was based on top of the patch for T57548-REL1_23.patch (The two patches conflicted with each other)

Bawolff updated the task description. (Show Details)Aug 2 2016, 8:50 PM

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

• dpatrick closed subtask T130384: CentralAuth doesn't check if given valid but unusable name as Resolved.Aug 8 2016, 9:58 PM

• dpatrick updated the task description. (Show Details)

In T133070#2531673, @Legoktm wrote:

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

Thanks for noticing that, @Legoktm. We'll be vigilant about that in the future.

• dpatrick updated the task description. (Show Details)Aug 10 2016, 12:50 AM

Patch for T137264 does not apply to master.

• demon updated the task description. (Show Details)Aug 10 2016, 8:20 PM

• dpatrick added a subscriber: Ejegg.Aug 10 2016, 8:32 PM

• dpatrick updated the task description. (Show Details)Aug 10 2016, 8:45 PM

• dpatrick updated the task description. (Show Details)Aug 10 2016, 8:51 PM

• demon updated the task description. (Show Details)Aug 10 2016, 8:52 PM

• demon updated the task description. (Show Details)Aug 10 2016, 9:10 PM

• demon edited subtasks, added: T139670: Central auth global groups don't take session rights limit into account; removed: T130384: CentralAuth doesn't check if given valid but unusable name, T128624: Moving a page over redirect loses the protection settings for that page, T128695: Block::updateTimestamp() updates expiry of all blocks for the IP, T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException, T137593: Topics that are deleted then suppressed expose topic title in public deletion log, T137288: Applying deletelogentry restrictions to flow deletion log entries does not work.Aug 10 2016, 9:14 PM

• demon updated the task description. (Show Details)Aug 10 2016, 10:14 PM

• demon updated the task description. (Show Details)

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

In T133070#2542533, @demon wrote:

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

In T133070#2542613, @Bawolff wrote:

In T133070#2542533, @demon wrote:

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

Oh I can do it myself I just wanted a second opinion :)

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

In T133070#2542737, @Ejegg wrote:

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

Yeah, I had to do a manual rebase locally to sort out the conflicts. It's trivial though.

Removed T57548 since it's already backported to 1.23/1.26 as well.

• demon updated the task description. (Show Details)Aug 19 2016, 9:02 PM

• demon closed subtask T57548: Html::expandAttributes can be tricked into omitting necessary quotes as Resolved.Aug 22 2016, 8:50 PM

• dpatrick updated the task description. (Show Details)Aug 23 2016, 12:40 AM

• demon closed this task as Resolved.Aug 23 2016, 1:24 AM

• demon claimed this task.

• demon changed the visibility from "Custom Policy" to "Public (No Login Required)".

• demon changed Security from Software security bug to None.

• demon updated the task description. (Show Details)

• dpatrick mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Aug 24 2016, 6:05 PM

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:35 PM