Page MenuHomePhabricator

Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1)
Closed, ResolvedPublic

Description

See previous work: T234983.

Maniphest IDExtension or SkinCVE IDREL1_31REL1_33REL1_34master
T240502MobileFrontendNone per T240502#5755615YesYesYesYes
T240773WikibaseMediaInfoCVE-2020-6163N/AN/AN/AYes
T245850WidgetsCVE-2020-9382YesYesYesYes
T229731GlobalBlockingCVE-2020-10534YesYesYesYes

Related Objects

Event Timeline

Reedy created this task.Dec 10 2019, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2019, 10:55 PM
Reedy updated the task description. (Show Details)Dec 10 2019, 10:56 PM
sbassett triaged this task as Medium priority.
sbassett updated the task description. (Show Details)
sbassett added a project: user-sbassett.
sbassett renamed this task from Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1) to Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1).Dec 19 2019, 6:12 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 19 2019, 11:03 PM
sbassett moved this task from Backlog / Other to Operational issues on the acl*security board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett updated the task description. (Show Details)Dec 20 2019, 3:01 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 8 2020, 6:29 PM
sbassett updated the task description. (Show Details)Jan 8 2020, 6:33 PM
sbassett updated the task description. (Show Details)Jan 8 2020, 6:38 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1) to Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Jan 23 2020, 1:11 PM
Reedy updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 3 2020, 8:28 PM

@sbassett OATHAuth is bundled in the tarball so it should be announced/released with the normal MediaWiki security release rather than in a supplementary one.

sbassett updated the task description. (Show Details)Feb 3 2020, 10:31 PM

@sbassett OATHAuth is bundled in the tarball...

Ah, so it is. Thanks.

sbassett updated the task description. (Show Details)Feb 24 2020, 9:03 PM
sbassett updated the task description. (Show Details)Feb 24 2020, 10:20 PM
sbassett moved this task from In Progress to Waiting on the user-sbassett board.Feb 25 2020, 9:40 PM
sbassett updated the task description. (Show Details)Mar 13 2020, 7:55 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 6:15 PM
sbassett updated the task description. (Show Details)Mar 26 2020, 8:21 PM
sbassett added a comment.EditedMar 26 2020, 8:27 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1)

Greetings-

With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

== MobileFrontend ==
+ (T240502, No CVE) - List known raw html messages
< https://gerrit.wikimedia.org/r/q/I301aee4093fe2b0e8f6dfe5422226bb80af1de20 >

== WikibaseMediaInfo ==
+ (T240773, CVE-2020-6163) - Escape labels in HTML output
< https://gerrit.wikimedia.org/r/q/If47903f11645e52d56a875be4c03de47400cef01 >

== Widgets ==
+ (T245850, CVE-2020-9382) - Title::newFromText() is not safe for user input
< https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 >

== GlobalBlocking ==
+ (T229731, CVE-2020-10534) - Apply most specific global block
< https://gerrit.wikimedia.org/r/q/I9cc5fb2c08c78bbd797a5fc6d89f4577c8cc118b >

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
[1] https://phabricator.wikimedia.org/T240400
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Given that none of the listed tasks are private, does the note about tasks still private need to be included?

Reedy added a comment.Mar 26 2020, 8:32 PM

Given that none of the listed tasks are private, does the note about tasks still private need to be included?

It's boilerplate. I don't think it matters

sbassett moved this task from Waiting to Done on the user-sbassett board.Mar 26 2020, 8:43 PM