Page MenuHomePhabricator
Create Task
Maniphest T205041

Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Reedy
Sep 20 2018, 9:55 PM
Tags
Referenced Files
F29268881: 1.33.0.tar
May 28 2019, 11:57 PM
F29268882: master.tar
May 28 2019, 11:57 PM
F29268885: 1.30.2.tar
May 28 2019, 11:57 PM
F29268884: 1.27.6.tar
May 28 2019, 11:57 PM
F29268880: 1.32.2.tar
May 28 2019, 11:57 PM
F29268883: 1.31.2.tar
May 28 2019, 11:57 PM
F29264915: 07-T221739-master.patch
May 28 2019, 3:20 PM
F29264913: 05-T199540-master.patch
May 28 2019, 3:20 PM
View All 14 Files
Subscribers
Aklapper
CCicalese_WMF
greg
Jdforrester-WMF
Reedy
Rxy

Description

Previous work T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release

Tracking bug for next security release

Maniphest IDCVE IDREL1_27REL1_30REL1_31REL1_32REL1_33master
T204729CVE-2019-12473mergedmergedmergedmergedmergedmerged
T25227CVE-2019-12466mergedmergedmergedmergedmergedmerged
T207603CVE-2019-12471mergedmergedmergedmergedmergedmerged
T221739CVE-2019-11358 (upstream)
T197279CVE-2019-12468
01-T197279-master.patch1 KBDownload
T208881n/a
03-T208881-master.patch1 KBDownload
T209794CVE-2019-12467
04-T209794-master.patch1 KBDownload
T199540CVE-2019-12472
05-T199540-master.patch2 KBDownload
T212118CVE-2019-12474
06-T212118-master.patch2 KBDownload
T222036CVE-2019-12469
08-T222036-master.patch1 KBDownload
T222038CVE-2019-12470
09-T222038-master.patch2 KBDownload

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT302086 Set scap minimum python version to 3.7
 ResolvedNoneT247045 Migrate all of production metal and VMs to Buster or later
 ResolvedakosiarisT249724 Track and remove jessie based container images from production
 ResolvedJdforrester-WMFT224908 Drop jessie testing support
 ResolvedJdforrester-WMFT224907 Drop php55 testing support
 ResolvedReedyT205039 Release MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2
 ResolvedReedyT205041 Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
 ResolvedBawolffT197279 Direct POST to Special:ChangeEmail will bypass reauth check
 ResolvedAnomieT204729 Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple
 ResolvedBawolffT207603 CVE-2019-12471: Loading JS from user space where the username is not a registered account is dangerous and should be banned
 ResolvedBawolffT208881 CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser
 ResolvedLegoktmT199540 Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API
 ResolvedLucas_Werkmeister_WMDET212118 API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly
 ResolvedBawolffT209794 Need to make a limit of count of attempts to change email address
 ResolvedsbassettT222036 Exposed suppressed username or log in Special:EditTags
 ResolvedsbassettT222038 Exposed suppressed log in RevisionDelete page
 ResolvedJdforrester-WMFT221739 Patch jQuery due to CVE-2019-11358
 ResolvedsbassettT25227 Use token when logging out
 ResolvedsbassettT221868 Send out wikitech-l post for T25227 ("Use token when logging out")

Event Timeline

Reedy created this task.Sep 20 2018, 9:55 PM
Reedy created this object with visibility "Custom Policy".
Reedy added a subtask: T197279: Direct POST to Special:ChangeEmail will bypass reauth check.Sep 21 2018, 6:14 PM
Legoktm added a subtask: T204729: Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple.Sep 23 2018, 7:58 PM
Jdforrester-WMF subscribed.Sep 26 2018, 5:23 PM
Legoktm added a subtask: T207603: CVE-2019-12471: Loading JS from user space where the username is not a registered account is dangerous and should be banned.Oct 22 2018, 3:36 PM
Legoktm closed subtask T197279: Direct POST to Special:ChangeEmail will bypass reauth check as Resolved.
Bawolff added a subtask: T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser.Nov 8 2018, 6:17 AM
Legoktm added a subtask: T199540: Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API.Dec 20 2018, 9:45 AM
Reedy renamed this task from Tracking bug for 1.27.6/1.30.2/1.31.2 security release to Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.1 security release.Feb 13 2019, 2:24 AM
sbassett mentioned this in T212118: API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly.Feb 19 2019, 4:16 PM
Legoktm added a subtask: T212118: API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly.Mar 8 2019, 9:23 PM
Legoktm added a subtask: T209794: Need to make a limit of count of attempts to change email address.Mar 8 2019, 10:26 PM
Legoktm added a subtask: Restricted Task.Mar 8 2019, 10:29 PM
Aklapper renamed this task from Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.1 security release to Tracking bug for 1.27.6/1.31.2/1.32.1 security release.Mar 18 2019, 12:30 AM
Aklapper edited projects, added MW-1.32-release; removed MW-1.30-release.
Reedy added a comment.EditedMar 18 2019, 1:03 AM

@Aklapper Although 1.30 is unsupported, I suspect pressure will be for us to release a 1.30.2 with both security and maintenance releases (like we had with 1.29 IIRC), because of things already backported...

That, and there wasn't any sort of final 1.30 release around the time of it going EOL...

Aklapper renamed this task from Tracking bug for 1.27.6/1.31.2/1.32.1 security release to Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.1 security release.Mar 18 2019, 1:43 AM
Aklapper added a project: MW-1.30-release.

meh

greg subscribed.Apr 9 2019, 10:59 PM
greg added a subscriber: CCicalese_WMF.Apr 12 2019, 1:23 AM
sbassett mentioned this in T218091: Security Team quarterly check in for April - June 2019.Apr 19 2019, 7:02 PM
Reedy mentioned this in T221739: Patch jQuery due to CVE-2019-11358.Apr 29 2019, 7:37 PM
Reedy added a subtask: T222036: Exposed suppressed username or log in Special:EditTags.Apr 30 2019, 3:51 PM
Reedy added a subtask: T222038: Exposed suppressed log in RevisionDelete page.
Rxy subscribed.Apr 30 2019, 3:53 PM
Reedy added a subtask: T221739: Patch jQuery due to CVE-2019-11358.Apr 30 2019, 3:53 PM
Reedy added a subtask: T25227: Use token when logging out.
Reedy triaged this task as High priority.Apr 30 2019, 4:00 PM
Reedy mentioned this in T213595: Release 1.32.1 as a maintenance release.
Reedy renamed this task from Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.1 security release to Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Apr 30 2019, 6:28 PM
sbassett closed subtask T222038: Exposed suppressed log in RevisionDelete page as Resolved.Apr 30 2019, 9:53 PM
sbassett closed subtask T222036: Exposed suppressed username or log in Special:EditTags as Resolved.
sbassett closed subtask T25227: Use token when logging out as Resolved.May 6 2019, 3:14 PM
Aklapper reopened subtask T197279: Direct POST to Special:ChangeEmail will bypass reauth check as Open.May 27 2019, 9:15 AM
Reedy closed subtask T197279: Direct POST to Special:ChangeEmail will bypass reauth check as Resolved.May 28 2019, 1:51 PM
Reedy closed subtask T212118: API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly as Resolved.May 28 2019, 2:34 PM
Jdforrester-WMF mentioned this in T197279: Direct POST to Special:ChangeEmail will bypass reauth check.May 28 2019, 2:40 PM
Reedy closed subtask T209794: Need to make a limit of count of attempts to change email address as Resolved.May 28 2019, 2:45 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)May 28 2019, 2:50 PM
Reedy updated the task description. (Show Details)May 28 2019, 2:53 PM
Reedy updated the task description. (Show Details)May 28 2019, 2:55 PM
Reedy updated the task description. (Show Details)
Jdforrester-WMF updated the task description. (Show Details)May 28 2019, 2:58 PM
Jdforrester-WMF added a project: MW-1.33-release.
Reedy updated the task description. (Show Details)May 28 2019, 3:00 PM
Reedy updated the task description. (Show Details)May 28 2019, 3:07 PM
Reedy updated the task description. (Show Details)May 28 2019, 3:20 PM
Jdforrester-WMF added a comment.May 28 2019, 3:48 PM

1.30 went EOL in December 2018; are you still planning the release for that branch?

Reedy added a comment.May 28 2019, 9:43 PM
In T205041#5217192, @Jdforrester-WMF wrote:

1.30 went EOL in December 2018; are you still planning the release for that branch?

I am. It hasn't been formally EOL'd (no announcement or anything beyond possibly wiki document updates), and there are outstanding maintenance patches that are unreleased on the branch.

I can't remember where the discussion was offhand, but the jist of it was it's a bit "unfair" and messy that we hadn't made a release out of it. Which I think was fair enough, and still stands here

And I think sending a REL1_30 EOL announcement now/today (ish) and then a security release within the next week is somewhat of a dick move. I therefore to plan to EOL REL1_30 in this point release, like I did with REL1_29 in the 1.29.3 release announcement

Hopefully, the effort for backporting to REL1_30 should be minimal, as such I'll just do it with the rest of these

Basically, we need to get more proactive at doing maintenance (and security!) releases, and these should probably co-incide with EOL announcements too (I know, preaching to the choir)

Reedy updated the task description. (Show Details)May 28 2019, 10:47 PM
Reedy added a comment.May 28 2019, 11:57 PM

Completely untested... But this does RELEASE-NOTES, bumping and the "next" commit for the relevant branches that will be continuing. Saving here as WIP until a couple of other tasks/commits are dealt with.

Feel free to help test/review these. I've not had a look for any usages of "new" functions that might not be in 1.27/1.30 (and potentially even 1.31 and 1.32)

1.32.2.tar30 KBDownload

1.33.0.tar20 KBDownload

master.tar20 KBDownload

1.31.2.tar30 KBDownload

1.27.6.tar30 KBDownload

1.30.2.tar30 KBDownload

Reedy removed a subtask: Restricted Task.May 28 2019, 11:58 PM
Reedy updated the task description. (Show Details)
Reedy closed subtask T208881: CSS using var() to create exponential sized calc() on wiki page will crash visitor's browser as Resolved.May 29 2019, 12:16 AM
Reedy updated the task description. (Show Details)May 30 2019, 5:30 PM
Reedy closed subtask T221739: Patch jQuery due to CVE-2019-11358 as Resolved.Jun 4 2019, 10:26 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Jun 5 2019, 9:08 PM
Reedy mentioned this in T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release.Jun 5 2019, 9:20 PM
Reedy closed this task as Resolved.Jun 6 2019, 3:58 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:28 PM
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL