Per conversations with @Reedy and @CCicalese_WMF, I'm adding this subtask (and plan to have one for future mw security releases as well) to send a supplemental email to mediawiki-announce-l regarding any security-patched deployed or bundled extensions since the last mw security release. This is to promote some extra visibility for these critical extensions aside from folks paying careful attention to certain security bugs becoming public and/or routinely checking for relevant CVEs.
|Resolved||Reedy||T225151 Release MediaWiki 1.31.4/1.32.4/1.33.1|
|Resolved||sbassett||T232113 Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.4/1.32.4/1.33.1)|
- Mentioned In
- T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2)
T133735: Formalize procedures for doing security releases of MediaWiki extensions
T233213: XSS in Wikidata Query Service UI, DATATYPE_MATHML - CVE-2019-19329
- Mentioned Here
- T225151: Release MediaWiki 1.31.4/1.32.4/1.33.1
T225153: Write and send release announcements for MediaWiki 1.31.4/1.32.4/1.33.1
T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124)
@Reedy - I was thinking a separate, supplemental email, so people would just pay attention to that. But pretty much sent around the same time as the proper release announcement. I can come up with some boilerplate, should be pretty simple.
As for timing - there's one complication: T207094 is in a weird state right now as it's kind of half-solved. The first patch (re-mentioned at T207094#5512108) is applied to .23 right now in production. But it doesn't fully solve the problem as noted in that comment. But that task is PermanentlyPrivate so there isn't an information disclosure issue there, really. So if we made this task public (which mentions the CU task) and backport the patch in gerrit, we're still probably ok, kind of. But... the CU issue isn't fully resolved and might not be for a while due to perf issues. So I'm not 100% sure what to do here. The entire goal of this task and the email to mediawiki-announce-l was to publicize these security patches for deployed/bundled extensions for better visibility.
Just FYI, mediawiki-announce-l has restricted access (and by default, all messages to it are just dropped). Ping me when you want to send it, and I can prevent that happening and let it through for you :)
Subject: MediaWiki Extensions Security Release Supplement
With the security/maintenance release of MediaWiki 1.31.4 / 1.32.4 / 1.33.1 , we would also like to provide this supplementary announcement of wmf-deployed extensions  with now-public security patches and backports :
== MobileFrontend ==
< https://gerrit.wikimedia.org/r/q/I0cb918f8148d1782882e104d127f08cbfa23e542 >
+ (T230576, CVE-2019-15124) - XSS in edit summary for ex:MobileFrontend Special:Watchlist
< https://gerrit.wikimedia.org/r/q/If4e91093c676de3391e6dde415c8c91c1f582998 >
== CheckUser ==
+ (T207094 [task to remain private], CVE-2019-16529) - Oversighted edit summaries still visible in CheckUser results
< https://gerrit.wikimedia.org/r/q/I3d28bd9f14c1237a34afcd2e4479152f571e29a6 >
== AbuseFilter ==
+ (T224203 [task to remain private], CVE-2019-16528) - Oversighting the user who performed an edit doesn't hide it from the abuse filter log
< https://gerrit.wikimedia.org/r/q/If3d3256404d0f3dbde171831937d1a816b3e2734 >
The Wikimedia Security Team recommends updating these extensions to the current master branch or supported release branches  as soon as possible. As you may have noticed, some of the referenced Phabricator tasks above are still private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns, please feel free to contact firstname.lastname@example.org or file a security task within Phabricator.