Page MenuHomePhabricator

MediaWiki 1.27.1 security release
Closed, ResolvedPublic

Description

This will probably happen several weeks after 1.27 is released.

MW Versions: 1.27.1/1.26.4/1.23.15. Note, 1.25 is already EOL.

Core

Maniphest IDCVE IDREL1_23REL1_26REL1_27REL1_28/master
T115333CVE-2016-6331
T129738CVE-2016-6332,,,,
T133147CVE-2016-6333,,,,
T137264CVE-2016-6334
T139570CVE-2016-6335Already present
T132926CVE-2016-6336
T139670CVE-2016-6337n/a (no SessionManager)n/a (no SessionManager)

Extensions

REL1_23REL1_26REL1_27REL1_28/master
T136402 [pdfHandler] [master patch applies cleanly to everything except 1.23]

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

For the blockdisableslogin bug. There's some dispute as to whether the patch fully covers the issue on the bug, so perhaps we should hold back on that one.

The Quiz patch is slightly more complicated, as that patch should probably be included at the same time as T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815) and T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) is included (Specifically same time as F3334487, F3278917 and F3278753)

Bawolff updated the task description. (Show Details)Jun 28 2016, 4:42 PM
demon updated the task description. (Show Details)Jun 29 2016, 4:42 PM
demon added a subscriber: demon.

Removed REL1_25 column as it hit EOL already.

MaxSem renamed this task from MediaWiki 1.26.4 security release to MediaWiki 1.27.1 security release.Jun 29 2016, 5:03 PM
demon added a comment.Jun 29 2016, 5:57 PM

The two Flow patches do not block this release, they are not bundled. They should be pushed to all supported branches and announced (mediawiki-announce, I can help with this)

Legoktm updated the task description. (Show Details)Jul 7 2016, 10:48 PM
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:32 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:43 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:45 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:28 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:37 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:41 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:45 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:54 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 10:11 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 10:37 PM
demon added a comment.Jul 19 2016, 4:50 PM

Flow, as an un-bundled extension, can be removed from this tracker. They should be fixed in all supported branches and announced widely. That's all we need for that.

dpatrick updated the task description. (Show Details)Jul 20 2016, 7:28 PM
Bawolff updated the task description. (Show Details)Aug 1 2016, 12:14 PM
Bawolff updated the task description. (Show Details)Aug 1 2016, 12:17 PM
dpatrick updated the task description. (Show Details)Aug 1 2016, 5:41 PM
dpatrick updated the task description. (Show Details)Aug 1 2016, 9:08 PM
demon updated the task description. (Show Details)Aug 2 2016, 6:21 PM
demon added a comment.Aug 2 2016, 6:32 PM

T130384 is not a core change and not a bundled extension (it's CentralAuth). Let's remove it from the list, push to branches, and announce.

demon added a comment.Aug 2 2016, 6:40 PM

doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

I think that patch was based on top of the patch for T57548-REL1_23.patch (The two patches conflicted with each other)

Bawolff updated the task description. (Show Details)Aug 2 2016, 8:50 PM
Legoktm added a subscriber: Legoktm.Aug 7 2016, 8:47 PM

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

Thanks for noticing that, @Legoktm. We'll be vigilant about that in the future.

demon added a comment.Aug 10 2016, 8:13 PM

Patch for T137264 does not apply to master.

demon updated the task description. (Show Details)Aug 10 2016, 8:20 PM
dpatrick updated the task description. (Show Details)Aug 10 2016, 8:45 PM
dpatrick updated the task description. (Show Details)Aug 10 2016, 8:51 PM
demon updated the task description. (Show Details)Aug 10 2016, 8:52 PM
demon updated the task description. (Show Details)Aug 10 2016, 9:10 PM
demon updated the task description. (Show Details)Aug 10 2016, 10:14 PM
demon updated the task description. (Show Details)

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

Oh I can do it myself I just wanted a second opinion :)

Ejegg added a comment.Aug 11 2016, 3:01 AM

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

demon added a comment.Aug 11 2016, 3:07 AM

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

Yeah, I had to do a manual rebase locally to sort out the conflicts. It's trivial though.

demon updated the task description. (Show Details)Aug 19 2016, 3:10 PM

Removed T57548 since it's already backported to 1.23/1.26 as well.

demon updated the task description. (Show Details)Aug 19 2016, 9:02 PM
demon closed this task as Resolved.Aug 23 2016, 1:24 AM
demon claimed this task.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed Security from Software security bug to None.
demon updated the task description. (Show Details)
sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 6:35 PM