Page MenuHomePhabricator

Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0
Closed, ResolvedPublic

Description

Previous work: T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2

Tracking bug for next security release, 1.31.9/1.34.3/1.35.0

Maniphest IDCVE IDREL1_31REL1_34REL1_35master
T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)CVE-2020-25812n/a (introduced in 1.34.0)
T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815)CVE-2020-25815n/a (introduced in 1.32.0)
T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)CVE-2020-25813mergedmergedmergedmerged
T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368)CVE-2020-17367 CVE-2020-17368
T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814)CVE-2020-25814
T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828)CVE-2020-25828
T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)CVE-2020-25869
T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)CVE-2020-25827mergedmergedmergedmerged

Current deploy1001 /srv/patches

reedy@deploy1001:/srv/patches/1.36.0-wmf.9/core$ ls -al
total 44
drwxrwxr-x 2 liw wikidev 4096 Sep  2 11:11 .
drwxrwxr-x 3 liw wikidev 4096 Sep 15 12:02 ..
-rw-r--r-- 1 liw wikidev 1226 Jun 29 21:52 01-T255918.patch
-rw-r--r-- 1 liw wikidev 1681 Jun 29 21:50 02-T256171.patch
-rw-r--r-- 1 liw wikidev 1805 Jul 24 02:41 03-T258763.patch
-rw-r--r-- 1 liw wikidev 5138 Aug  4 10:31 05-T86738.patch
-rw-r--r-- 1 liw wikidev 2604 Aug  3 16:09 06-T115888.patch
-rw-r--r-- 1 liw wikidev 2582 Aug 24 13:37 07-T260485.patch
-rw-r----- 1 liw wikidev 5588 Sep  2 11:06 08-T260485-2.patch

Details

Due Date
Sep 30 2020, 10:00 PM

Related Objects

Event Timeline

Reedy set Due Date to Sep 30 2020, 10:00 PM.Jun 25 2020, 12:32 AM
Reedy renamed this task from Tracking bug for MediaWiki 1.31.9/1.34.3 to Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.1.Aug 26 2020, 4:02 PM
Reedy updated the task description. (Show Details)
Reedy renamed this task from Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.1 to Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.Sep 21 2020, 2:38 PM
Reedy updated the task description. (Show Details)

Patches for master from deploy1001:/srv/patches/1.36.0-wmf.9/core

Reedy updated the task description. (Show Details)

Nice. So the patches for master apply cleanly to REL1_34 and REL1_35

For REL1_31, only the patch for T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) cleanly applies

TBC!

Reedy updated the task description. (Show Details)
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Sep 24 2020, 3:07 PM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
Reedy claimed this task.
jbond removed a subscriber: jbond.