Page MenuHomePhabricator

Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.4/1.32.4/1.33.1)
Closed, ResolvedPublic

Description

Per conversations with @Reedy and @CCicalese_WMF, I'm adding this subtask (and plan to have one for future mw security releases as well) to send a supplemental email to mediawiki-announce-l regarding any security-patched deployed or bundled extensions since the last mw security release. This is to promote some extra visibility for these critical extensions aside from folks paying careful attention to certain security bugs becoming public and/or routinely checking for relevant CVEs.

Maniphest IDExtensionCVE IDREL1_31REL1_32REL1_33master
T229541MobileFrontendCVE-2019-14807YesYesYesYes
T230576MobileFrontendCVE-2019-15124YesYesYesYes
T207094CheckUserCVE-2019-16529YesYesYesYes
T224203AbuseFilterCVE-2019-16528N/AYesYesYes

Event Timeline

sbassett created this task.Sep 5 2019, 3:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2019, 3:31 PM
sbassett claimed this task.Sep 5 2019, 3:31 PM
sbassett triaged this task as Medium priority.
sbassett removed a project: Security.
sbassett added a subscriber: Reedy.
Restricted Application added a project: Security. · View Herald TranscriptSep 5 2019, 3:31 PM
sbassett updated the task description. (Show Details)Sep 5 2019, 3:34 PM
sbassett added a subscriber: CCicalese_WMF.
sbassett updated the task description. (Show Details)Sep 5 2019, 3:38 PM
sbassett updated the task description. (Show Details)Sep 5 2019, 3:44 PM
sbassett updated the task description. (Show Details)Sep 19 2019, 3:37 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Sep 19 2019, 5:08 PM
sbassett updated the task description. (Show Details)Sep 19 2019, 8:06 PM
sbassett updated the task description. (Show Details)Sep 20 2019, 3:04 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)

How do we want to do this? Put it in T225153? Or send at a similar time to we send T225153?

The plan is to get T225151 out next week

@Reedy - I was thinking a separate, supplemental email, so people would just pay attention to that. But pretty much sent around the same time as the proper release announcement. I can come up with some boilerplate, should be pretty simple.

As for timing - there's one complication: T207094 is in a weird state right now as it's kind of half-solved. The first patch (re-mentioned at T207094#5512108) is applied to .23 right now in production. But it doesn't fully solve the problem as noted in that comment. But that task is PermanentlyPrivate so there isn't an information disclosure issue there, really. So if we made this task public (which mentions the CU task) and backport the patch in gerrit, we're still probably ok, kind of. But... the CU issue isn't fully resolved and might not be for a while due to perf issues. So I'm not 100% sure what to do here. The entire goal of this task and the email to mediawiki-announce-l was to publicize these security patches for deployed/bundled extensions for better visibility.

Reedy added a comment.Oct 7 2019, 7:12 PM

The main release is out

@Reedy - Thanks, I'll work on the boilerplate for this announcement today or tomorrow and post it here. Then write up the email and send it to mediawiki-announce-l, wikitech-l and mediawiki-l.

Reedy added a comment.Oct 7 2019, 8:26 PM

@Reedy - Thanks, I'll work on the boilerplate for this announcement today or tomorrow and post it here. Then write up the email and send it to mediawiki-announce-l, wikitech-l and mediawiki-l.

Just FYI, mediawiki-announce-l has restricted access (and by default, all messages to it are just dropped). Ping me when you want to send it, and I can prevent that happening and let it through for you :)

Just FYI, mediawiki-announce-l has restricted access

Ah, good to know. Thanks!

sbassett moved this task from Backlog to In Progress on the user-sbassett board.Oct 8 2019, 5:01 PM
sbassett updated the task description. (Show Details)Oct 8 2019, 6:33 PM
sbassett added a comment.EditedOct 8 2019, 7:16 PM

{{draft}}

Subject: MediaWiki Extensions Security Release Supplement

Greetings-

With the security/maintenance release of MediaWiki 1.31.4 / 1.32.4 / 1.33.1 [0], we would also like to provide this supplementary announcement of wmf-deployed extensions [1] with now-public security patches and backports [2]:

== MobileFrontend ==
+ (T229541, CVE-2019-14807) - Javascript injection in edit summary on mobile site.
< https://gerrit.wikimedia.org/r/q/I0cb918f8148d1782882e104d127f08cbfa23e542 >

+ (T230576, CVE-2019-15124) - XSS in edit summary for ex:MobileFrontend Special:Watchlist
< https://gerrit.wikimedia.org/r/q/If4e91093c676de3391e6dde415c8c91c1f582998 >

== CheckUser ==
+ (T207094 [task to remain private], CVE-2019-16529) - Oversighted edit summaries still visible in CheckUser results
< https://gerrit.wikimedia.org/r/q/I3d28bd9f14c1237a34afcd2e4479152f571e29a6 >

== AbuseFilter ==
+ (T224203 [task to remain private], CVE-2019-16528) - Oversighting the user who performed an edit doesn't hide it from the abuse filter log
< https://gerrit.wikimedia.org/r/q/If3d3256404d0f3dbde171831937d1a816b3e2734 >

The Wikimedia Security Team recommends updating these extensions to the current master branch or supported release branches [3] as soon as possible. As you may have noticed, some of the referenced Phabricator tasks above are still private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns, please feel free to contact security@wikimedia.org or file a security task within Phabricator.

[0] https://lists.wikimedia.org/pipermail/wikitech-l/2019-October/092656.html
[1] https://w.wiki/9hi
[2] https://phabricator.wikimedia.org/T232113
[3] https://www.mediawiki.org/wiki/Version_lifecycle

@Reedy - suggestions or improvements on the above?

sbassett moved this task from In Progress to Done on the user-sbassett board.Oct 11 2019, 3:22 PM
sbassett removed a project: user-sbassett.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".