How do we want to do this? Put it in T225153? Or send at a similar time to we send T225153?

The plan is to get T225151 out next week

@Reedy - I was thinking a separate, supplemental email, so people would just pay attention to that. But pretty much sent around the same time as the proper release announcement. I can come up with some boilerplate, should be pretty simple.

As for timing - there's one complication: T207094 is in a weird state right now as it's kind of half-solved. The first patch (re-mentioned at T207094#5512108) is applied to .23 right now in production. But it doesn't fully solve the problem as noted in that comment. But that task is PermanentlyPrivate so there isn't an information disclosure issue there, really. So if we made this task public (which mentions the CU task) and backport the patch in gerrit, we're still probably ok, kind of. But... the CU issue isn't fully resolved and might not be for a while due to perf issues. So I'm not 100% sure what to do here. The entire goal of this task and the email to mediawiki-announce-l was to publicize these security patches for deployed/bundled extensions for better visibility.

The main release is out

@Reedy - Thanks, I'll work on the boilerplate for this announcement today or tomorrow and post it here. Then write up the email and send it to mediawiki-announce-l, wikitech-l and mediawiki-l.

In T232113#5553507, @sbassett wrote:

@Reedy - Thanks, I'll work on the boilerplate for this announcement today or tomorrow and post it here. Then write up the email and send it to mediawiki-announce-l, wikitech-l and mediawiki-l.

Just FYI, mediawiki-announce-l has restricted access (and by default, all messages to it are just dropped). Ping me when you want to send it, and I can prevent that happening and let it through for you :)

Just FYI, mediawiki-announce-l has restricted access

Ah, good to know. Thanks!

{{draft}}

Subject: MediaWiki Extensions Security Release Supplement

Greetings-

With the security/maintenance release of MediaWiki 1.31.4 / 1.32.4 / 1.33.1 [0], we would also like to provide this supplementary announcement of wmf-deployed extensions [1] with now-public security patches and backports [2]:

== MobileFrontend ==
+ (T229541, CVE-2019-14807) - Javascript injection in edit summary on mobile site.
< https://gerrit.wikimedia.org/r/q/I0cb918f8148d1782882e104d127f08cbfa23e542 >

+ (T230576, CVE-2019-15124) - XSS in edit summary for ex:MobileFrontend Special:Watchlist
< https://gerrit.wikimedia.org/r/q/If4e91093c676de3391e6dde415c8c91c1f582998 >

== CheckUser ==
+ (T207094 [task to remain private], CVE-2019-16529) - Oversighted edit summaries still visible in CheckUser results
< https://gerrit.wikimedia.org/r/q/I3d28bd9f14c1237a34afcd2e4479152f571e29a6 >

== AbuseFilter ==
+ (T224203 [task to remain private], CVE-2019-16528) - Oversighting the user who performed an edit doesn't hide it from the abuse filter log
< https://gerrit.wikimedia.org/r/q/If3d3256404d0f3dbde171831937d1a816b3e2734 >

The Wikimedia Security Team recommends updating these extensions to the current master branch or supported release branches [3] as soon as possible. As you may have noticed, some of the referenced Phabricator tasks above are still private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns, please feel free to contact security@wikimedia.org or file a security task within Phabricator.

[0] https://lists.wikimedia.org/pipermail/wikitech-l/2019-October/092656.html
[1] https://w.wiki/9hi
[2] https://phabricator.wikimedia.org/T232113
[3] https://www.mediawiki.org/wiki/Version_lifecycle

@Reedy - suggestions or improvements on the above?