Previous work: T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2
Tracking bug for next security release, 1.31.9/1.34.3/1.35.0
Maniphest ID | CVE ID | REL1_31 | REL1_34 | REL1_35 | master |
---|---|---|---|---|---|
T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812) | CVE-2020-25812 | n/a (introduced in 1.34.0) | |||
T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815) | CVE-2020-25815 | n/a (introduced in 1.32.0) | |||
T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813) | CVE-2020-25813 | merged | merged | merged | merged |
T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) | CVE-2020-17367 CVE-2020-17368 | ||||
T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814) | CVE-2020-25814 | ||||
T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828) | CVE-2020-25828 | ||||
T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) | CVE-2020-25869 | ||||
T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827) | CVE-2020-25827 | merged | merged | merged | merged |
Current deploy1001 /srv/patches
reedy@deploy1001:/srv/patches/1.36.0-wmf.9/core$ ls -al total 44 drwxrwxr-x 2 liw wikidev 4096 Sep 2 11:11 . drwxrwxr-x 3 liw wikidev 4096 Sep 15 12:02 .. -rw-r--r-- 1 liw wikidev 1226 Jun 29 21:52 01-T255918.patch -rw-r--r-- 1 liw wikidev 1681 Jun 29 21:50 02-T256171.patch -rw-r--r-- 1 liw wikidev 1805 Jul 24 02:41 03-T258763.patch -rw-r--r-- 1 liw wikidev 5138 Aug 4 10:31 05-T86738.patch -rw-r--r-- 1 liw wikidev 2604 Aug 3 16:09 06-T115888.patch -rw-r--r-- 1 liw wikidev 2582 Aug 24 13:37 07-T260485.patch -rw-r----- 1 liw wikidev 5588 Sep 2 11:06 08-T260485-2.patch