Page MenuHomePhabricator

Security issues publicly announced, fixed but not released?
Closed, InvalidPublic

Description

Together with the announcement of MW 1.28.0-rc.0 on November 2, 2016 a total of six security issues were announced as fixed:

  1. (T137264) SECURITY: XSS in unclosed internal links
  2. (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
  3. (T133147) SECURITY: Require login to preview user CSS pages
  4. (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  5. (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  6. (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true

Since no immediate releases for the MW 1.23, 1.26 and 1.27 branches were made I assumed that these are not affected. Today with the release of MW 1.28.0 I had a look a the very first issue and already learned that older supported branches are indeed affected too. I do not dare to look at the other five at this point. However this makes me believe that we are now in our fourth week of security issues known to the general public with no release addressing them. Is this assumption correct? If yes, I do not think that MedaiWiki is in a desired situation.

Event Timeline

Kghbln created this task.Nov 28 2016, 8:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2016, 8:43 PM
Kghbln renamed this task from Security issues publicized but not fixed to Security issues publicly announced, fixed but not released?.Nov 28 2016, 8:45 PM
Reedy added a subscriber: Reedy.EditedNov 28 2016, 8:46 PM

For number 6 (and 5)... It's already on all branches as of Aug 23

https://gerrit.wikimedia.org/r/#/q/Ic929a385fa81c27cbc6ac3a0862f51190d3ae993

@Reedy A I get it, so the fixes ware already released. On cannot really tell from the tagging if it is the case or not. So we are cool here?

Reedy added a comment.Nov 28 2016, 9:01 PM

@Reedy A I get it, so the fixes ware already released. On cannot really tell from the tagging if it is the case or not. So we are cool here?

Taggings where, on phab? Or gerrit?

@Reedy Yeah, indeed invalid. Cool! Thanks a lot!

I meant the issue tagging here on phab.

Ah, there is a task assigned indicating the point release.

It has been a long day so senior moments involved, too.

You may have a jolly good laugh now.

hashar added a subscriber: hashar.Nov 28 2016, 9:38 PM

I rather have one ask questions and get an answer than someone not bothering to ask when we could well have missed releasing a security patch! Thanks @Kghbln (and @Reedy ).