Page MenuHomePhabricator
Create Task
Maniphest T240400

Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1)
Closed, ResolvedPublic
Actions

Description

See previous work: T234983.

Maniphest IDExtension or SkinCVE IDREL1_31REL1_33REL1_34master
T240502MobileFrontendNone per T240502#5755615YesYesYesYes
T240773WikibaseMediaInfoCVE-2020-6163N/AN/AN/AYes
T245850WidgetsCVE-2020-9382YesYesYesYes
T229731GlobalBlockingCVE-2020-10534YesYesYesYes

Related Objects
Search...

Event Timeline

Reedy created this task.Dec 10 2019, 10:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2019, 10:55 PM
Reedy updated the task description. (Show Details)Dec 10 2019, 10:56 PM
sbassett claimed this task.Dec 10 2019, 10:57 PM
sbassett triaged this task as Medium priority.
sbassett updated the task description. (Show Details)
sbassett added a project: user-sbassett.
Reedy added a project: MediaWiki-Releasing.Dec 10 2019, 10:58 PM
sbassett renamed this task from Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1) to Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1).Dec 19 2019, 6:12 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 19 2019, 11:03 PM
sbassett moved this task from Backlog / Other to Operational issues on the acl*security board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett updated the task description. (Show Details)Dec 20 2019, 3:01 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 8 2020, 6:29 PM
sbassett updated the task description. (Show Details)Jan 8 2020, 6:33 PM
sbassett updated the task description. (Show Details)Jan 8 2020, 6:38 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1) to Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Jan 23 2020, 1:11 PM
Reedy updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 3 2020, 8:28 PM
Legoktm subscribed.Feb 3 2020, 10:08 PM

@sbassett OATHAuth is bundled in the tarball so it should be announced/released with the normal MediaWiki security release rather than in a supplementary one.

sbassett updated the task description. (Show Details)Feb 3 2020, 10:31 PM
In T240400#5846314, @Legoktm wrote:

@sbassett OATHAuth is bundled in the tarball...

Ah, so it is. Thanks.

chasemp added a project: Security.Feb 10 2020, 10:56 PM
sbassett mentioned this in T240394: Write and send pre-release announcements for MediaWiki 1.31.7/1.33.3/1.34.1.Feb 13 2020, 8:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
sbassett mentioned this in T245850: Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382).Feb 24 2020, 9:01 PM
sbassett updated the task description. (Show Details)Feb 24 2020, 9:03 PM
sbassett updated the task description. (Show Details)Feb 24 2020, 10:20 PM
sbassett added subscribers: Bawolff, Alexia.Feb 25 2020, 4:21 PM
sbassett moved this task from In Progress to Waiting on the user-sbassett board.Feb 25 2020, 9:40 PM
Reedy added a subtask: T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 10 2020, 2:13 PM
Reedy updated the task description. (Show Details)
sbassett added subtasks: T240502: Raw HTML in MobileFrontend, T240773: Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163), T245850: Invoking any namespaced page with {{#widget:}} will run the page's contents as a widget; even if the page is not in Widget namespace (CVE-2020-9382).Mar 10 2020, 2:15 PM
sbassett mentioned this in T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 12 2020, 8:49 PM
sbassett closed subtask T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) as Resolved.Mar 13 2020, 7:52 PM
sbassett updated the task description. (Show Details)Mar 13 2020, 7:55 PM
sbassett reopened subtask T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) as Open.Mar 13 2020, 8:41 PM
Reedy closed subtask T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534) as Resolved.Mar 24 2020, 5:41 PM
Reedy mentioned this in T248542: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.8/1.33.4/1.34.2).Mar 26 2020, 12:38 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 6:15 PM
DannyS712 subscribed.Mar 26 2020, 6:22 PM
sbassett updated the task description. (Show Details)Mar 26 2020, 8:21 PM
sbassett added a comment.EditedMar 26 2020, 8:27 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1)

Greetings-

With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

== MobileFrontend ==
+ (T240502, No CVE) - List known raw html messages
< https://gerrit.wikimedia.org/r/q/I301aee4093fe2b0e8f6dfe5422226bb80af1de20 >

== WikibaseMediaInfo ==
+ (T240773, CVE-2020-6163) - Escape labels in HTML output
< https://gerrit.wikimedia.org/r/q/If47903f11645e52d56a875be4c03de47400cef01 >

== Widgets ==
+ (T245850, CVE-2020-9382) - Title::newFromText() is not safe for user input
< https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 >

== GlobalBlocking ==
+ (T229731, CVE-2020-10534) - Apply most specific global block
< https://gerrit.wikimedia.org/r/q/I9cc5fb2c08c78bbd797a5fc6d89f4577c8cc118b >

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
[1] https://phabricator.wikimedia.org/T240400
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

DannyS712 added a comment.Mar 26 2020, 8:31 PM

Given that none of the listed tasks are private, does the note about tasks still private need to be included?

Reedy added a comment.Mar 26 2020, 8:32 PM
In T240400#6003324, @DannyS712 wrote:

Given that none of the listed tasks are private, does the note about tasks still private need to be included?

It's boilerplate. I don't think it matters

sbassett closed this task as Resolved.Mar 26 2020, 8:43 PM

Done and done.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000248.html
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-March/048353.html
https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093245.html

sbassett moved this task from Waiting to Done on the user-sbassett board.Mar 26 2020, 8:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits