Page MenuHomePhabricator
Create Task
Maniphest T256335

Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Reedy
Jun 24 2020, 11:46 PM
Tags
Referenced Files
F32361067: 06-T115888-REL1_31.patch
Sep 23 2020, 5:01 PM
F32358493: 08-T260485-2-REL1_31.patch
Sep 23 2020, 10:42 AM
F32358495: 08-T260485-2-REL1_34.patch
Sep 23 2020, 10:42 AM
F32358464: 07-T260485-REL1_31.patch
Sep 23 2020, 10:42 AM
F32358448: 05-T86738-REL1_31.patch
Sep 21 2020, 11:35 PM
F32358405: 08-T260485-2.patch
Sep 21 2020, 10:53 PM
F32358406: 07-T260485.patch
Sep 21 2020, 10:53 PM
F32358409: 06-T115888.patch
Sep 21 2020, 10:53 PM
View All 12 Files
Subscribers
Aklapper
DannyS712
Reedy

Description

Previous work: T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2

Tracking bug for next security release, 1.31.9/1.34.3/1.35.0

Maniphest IDCVE IDREL1_31REL1_34REL1_35master
T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)CVE-2020-25812n/a (introduced in 1.34.0)
01-T255918.patch1 KBDownload
01-T255918.patch1 KBDownload
01-T255918.patch1 KBDownload
T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815)CVE-2020-25815n/a (introduced in 1.32.0)
02-T256171.patch1 KBDownload
02-T256171.patch1 KBDownload
02-T256171.patch1 KBDownload
T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)CVE-2020-25813mergedmergedmergedmerged
T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368)CVE-2020-17367 CVE-2020-17368
03-T258763.patch1 KBDownload
03-T258763.patch1 KBDownload
03-T258763.patch1 KBDownload
03-T258763.patch1 KBDownload
T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814)CVE-2020-25814
05-T86738-REL1_31.patch4 KBDownload
05-T86738.patch5 KBDownload
05-T86738.patch5 KBDownload
05-T86738.patch5 KBDownload
T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828)CVE-2020-25828
06-T115888-REL1_31.patch2 KBDownload
06-T115888.patch2 KBDownload
06-T115888.patch2 KBDownload
06-T115888.patch2 KBDownload
T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)CVE-2020-25869
07-T260485-REL1_31.patch2 KBDownload
08-T260485-2-REL1_31.patch6 KBDownload
07-T260485.patch2 KBDownload
08-T260485-2-REL1_34.patch5 KBDownload
07-T260485.patch2 KBDownload
08-T260485-2.patch5 KBDownload
07-T260485.patch2 KBDownload
08-T260485-2.patch5 KBDownload
T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)CVE-2020-25827mergedmergedmergedmerged

Current deploy1001 /srv/patches

reedy@deploy1001:/srv/patches/1.36.0-wmf.9/core$ ls -al
total 44
drwxrwxr-x 2 liw wikidev 4096 Sep  2 11:11 .
drwxrwxr-x 3 liw wikidev 4096 Sep 15 12:02 ..
-rw-r--r-- 1 liw wikidev 1226 Jun 29 21:52 01-T255918.patch
-rw-r--r-- 1 liw wikidev 1681 Jun 29 21:50 02-T256171.patch
-rw-r--r-- 1 liw wikidev 1805 Jul 24 02:41 03-T258763.patch
-rw-r--r-- 1 liw wikidev 5138 Aug  4 10:31 05-T86738.patch
-rw-r--r-- 1 liw wikidev 2604 Aug  3 16:09 06-T115888.patch
-rw-r--r-- 1 liw wikidev 2582 Aug 24 13:37 07-T260485.patch
-rw-r----- 1 liw wikidev 5588 Sep  2 11:06 08-T260485-2.patch

Details

Due Date
Sep 30 2020, 10:00 PM

Related Objects
Search...

Event Timeline

Reedy added projects: Security, Security-Team.Jun 24 2020, 11:46 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2020, 11:46 PM
Reedy added a parent task: T256334: Release MediaWiki 1.31.9/1.34.3/1.35.0.Jun 24 2020, 11:46 PM
Reedy edited projects, added MediaWiki-Releasing; removed Security-Team.Jun 24 2020, 11:51 PM
Reedy set Due Date to Sep 30 2020, 10:00 PM.Jun 25 2020, 12:32 AM
sbassett updated the task description. (Show Details)Jun 26 2020, 6:58 PM
sbassett added a subtask: T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815).Jun 29 2020, 10:55 PM
sbassett added a subtask: T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812).
sbassett removed a subtask: T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815).
sbassett added a subtask: T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815).
Legoktm added a subtask: T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813).Jul 3 2020, 4:49 AM
Reedy added a subtask: T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).Jul 27 2020, 3:11 PM
sbassett mentioned this in T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814).Aug 3 2020, 9:32 PM
sbassett added a subtask: T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814).Aug 3 2020, 9:38 PM
sbassett added a subtask: T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828).
sbassett mentioned this in T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828).
Aklapper added a project: Release.Aug 10 2020, 7:48 AM
Legoktm closed subtask T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813) as Resolved.Aug 11 2020, 9:04 PM
daniel added a subtask: T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869).Aug 26 2020, 4:01 PM
Reedy renamed this task from Tracking bug for MediaWiki 1.31.9/1.34.3 to Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.1.Aug 26 2020, 4:02 PM
Reedy updated the task description. (Show Details)
Reedy added a subtask: T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827).Sep 3 2020, 5:08 PM
Reedy added a subtask: T262213: XSS on Pages viewed on Mobile (CVE-2020-26120).Sep 7 2020, 9:49 PM
Reedy updated the task description. (Show Details)Sep 7 2020, 10:28 PM
Reedy updated the task description. (Show Details)Sep 7 2020, 10:30 PM
Reedy closed subtask T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827) as Resolved.
Reedy removed a subtask: T262213: XSS on Pages viewed on Mobile (CVE-2020-26120).Sep 7 2020, 10:57 PM
Reedy updated the task description. (Show Details)
Reedy renamed this task from Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.1 to Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.Sep 21 2020, 2:38 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Sep 21 2020, 5:11 PM
Reedy updated the task description. (Show Details)Sep 21 2020, 5:32 PM
Reedy added a comment.Sep 21 2020, 10:53 PM

Patches for master from deploy1001:/srv/patches/1.36.0-wmf.9/core

01-T255918.patch1 KBDownload

02-T256171.patch1 KBDownload

03-T258763.patch1 KBDownload

05-T86738.patch5 KBDownload

06-T115888.patch2 KBDownload

07-T260485.patch2 KBDownload

08-T260485-2.patch5 KBDownload

Reedy updated the task description. (Show Details)Sep 21 2020, 10:53 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Sep 21 2020, 11:09 PM
Reedy added a comment.Sep 21 2020, 11:12 PM

Nice. So the patches for master apply cleanly to REL1_34 and REL1_35

For REL1_31, only the patch for T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) cleanly applies

TBC!

Reedy updated the task description. (Show Details)Sep 21 2020, 11:21 PM
Reedy updated the task description. (Show Details)Sep 21 2020, 11:26 PM
Reedy updated the task description. (Show Details)Sep 21 2020, 11:35 PM
Reedy closed subtask T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812) as Resolved.
Reedy closed subtask T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815) as Resolved.
Reedy closed subtask T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) as Resolved.Sep 21 2020, 11:38 PM
Reedy closed subtask T86738: mw.message.parse() accepts javascript: protocol in wikilinks (CVE-2020-25814) as Resolved.
Reedy updated the task description. (Show Details)Sep 22 2020, 9:30 PM
Reedy updated the task description. (Show Details)Sep 23 2020, 10:39 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Sep 23 2020, 10:42 AM
Reedy updated the task description. (Show Details)Sep 23 2020, 3:24 PM
Reedy updated the task description. (Show Details)Sep 23 2020, 5:01 PM
Reedy closed subtask T115888: Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML (CVE-2020-25828) as Resolved.Sep 23 2020, 5:05 PM
Reedy updated the task description. (Show Details)Sep 24 2020, 1:10 AM
Reedy updated the task description. (Show Details)Sep 24 2020, 4:05 AM
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Sep 24 2020, 3:07 PM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
DannyS712 subscribed.Sep 24 2020, 4:59 PM
Reedy closed this task as Resolved.Sep 24 2020, 11:14 PM
Reedy claimed this task.
jbond subscribed.Sep 28 2020, 1:21 PM
jbond unsubscribed.
tstarling closed subtask T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) as Resolved.Nov 13 2020, 2:26 AM
Reedy mentioned this in T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 15 2020, 1:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL