Page MenuHomePhabricator

Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases
Closed, ResolvedPublic

Description

T169545 - $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)

'newbie' (newly created accounts) are supposed to have more stringent rate limits applied, except the defaults for all users, 'user' were taking precedence.

Affects all MediaWiki versions since 1.13.0 (Aug 2008).

T187638 - When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)

Allows users to see private information if they construct a URL manually.

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

T194605 - BotPassword can bypass CentralAuth's account lock (CVE-2018-0505)

Creating a BotPassword would allow users to bypass an account lock (supposed to prevent the user from logging in at all/taking any actions) and continue to make edits, etc.

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

T199029 - 1.31.0 tarball missing .htaccess files (CVE-2018-13258)

A packaging issue in the release script stripped the tarball of all .htaccess files, which are used to ensure that some directories are not web accessible if they don't need to be.

Affects MediaWiki 1.31.0 (Jun 2018) only if the tarball was used, git users were not affected.

Fixes for all 4 issues will be released in 1.27.5/1.29.3/1.30.1/1.31.1.

We're not requesting a CVE for T194237: bot passwords should call checkLoginSecurityLevel, which is a hardening fix.

Event Timeline

Reedy created this task.Jul 7 2018, 4:57 PM
Reedy created this object with visibility "Custom Policy".
Legoktm updated the task description. (Show Details)Aug 29 2018, 1:14 AM
Legoktm updated the task description. (Show Details)Aug 29 2018, 1:38 AM
MoritzMuehlenhoff closed this task as Resolved.Aug 29 2018, 10:58 AM
MoritzMuehlenhoff updated the task description. (Show Details)

I've added the CVE IDs to the task description.

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:33 PM
Jdforrester-WMF renamed this task from Obtain CVE's for 1.27.5/1.29.3/1.30.1/1.31.1 security releases to Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases.Sep 20 2018, 9:35 PM