Page MenuHomePhabricator
Create Task
Maniphest T256342

Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0)
Closed, ResolvedPublic
Actions

Description

Previous work: T248542

Maniphest IDExtension or SkinCVE IDREL1_31REL1_34REL1_35master
T238075MobileFrontendNone - configuration issueYesYesYesYes
T262213MobileFrontendCVE-2020-26120YesYesYesYes
T260485CentralAuthCVE-2020-258691, 21, 21, 21, 2
T262628FileImporterCVE-2020-26121NoYesYesYes

Notes:

  1. Save T262724 and T263498 for next release.

Related Objects
Search...

Event Timeline

Reedy added projects: Security, Security-Team.Jun 24 2020, 11:46 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2020, 11:46 PM
Reedy added a parent task: T256334: Release MediaWiki 1.31.9/1.34.3/1.35.0.Jun 24 2020, 11:46 PM
Reedy edited projects, added MediaWiki-Releasing; removed Security-Team.Jun 24 2020, 11:51 PM
sbassett claimed this task.Jun 25 2020, 3:53 PM
sbassett triaged this task as Medium priority.
sbassett added a project: user-sbassett.
sbassett updated the task description. (Show Details)
sbassett moved this task from Backlog to Waiting on the user-sbassett board.Jun 25 2020, 3:56 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 28 2020, 6:25 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T238075: Alert group Cookie(s) without HttpOnly flag set.
sbassett renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3) to Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.x).Jul 28 2020, 6:28 PM
sbassett updated the task description. (Show Details)Jul 29 2020, 2:57 PM
sbassett updated the task description. (Show Details)Aug 3 2020, 5:00 PM
sbassett updated the task description. (Show Details)
sbassett added a project: Security-Team.Aug 17 2020, 4:21 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
Reedy added a subtask: T262213: XSS on Pages viewed on Mobile (CVE-2020-26120).Sep 7 2020, 10:57 PM
Reedy added a subtask: T238075: Alert group Cookie(s) without HttpOnly flag set.
Reedy added subtasks: T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869), T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827).
Reedy removed a subtask: T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827).Sep 7 2020, 11:01 PM
Reedy mentioned this in T262213: XSS on Pages viewed on Mobile (CVE-2020-26120).Sep 7 2020, 11:22 PM
Reedy closed subtask T262213: XSS on Pages viewed on Mobile (CVE-2020-26120) as Resolved.Sep 14 2020, 3:13 PM
sbassett updated the task description. (Show Details)Sep 14 2020, 3:19 PM
sbassett updated the task description. (Show Details)Sep 14 2020, 3:48 PM
sbassett mentioned this in T262724: Push extension exposes login credentials (CVE-2020-29004, CVE-2020-29005).
sbassett added subscribers: tosfos, Pastakhov.
sbassett updated the task description. (Show Details)Sep 14 2020, 3:50 PM
sbassett updated the task description. (Show Details)Sep 14 2020, 3:54 PM
sbassett added a subscriber: Sudozero.Sep 22 2020, 8:12 PM
sbassett mentioned this in T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623).Sep 22 2020, 8:14 PM
sbassett updated the task description. (Show Details)Sep 22 2020, 8:25 PM
sbassett updated the task description. (Show Details)Sep 22 2020, 9:31 PM
sbassett updated the task description. (Show Details)Sep 22 2020, 9:37 PM
sbassett mentioned this in T262628: FileImporter imports the file even when the target page is protected on Commons and the importer should not be able to create it (CVE-2020-26121).Sep 22 2020, 9:41 PM
Reedy mentioned this in T256341: Obtain CVEs for 1.31.9/1.34.3/1.35.0 security releases.Sep 22 2020, 9:41 PM
sbassett updated the task description. (Show Details)Sep 22 2020, 9:44 PM
sbassett updated the task description. (Show Details)Sep 23 2020, 9:15 PM
sbassett updated the task description. (Show Details)Sep 24 2020, 8:50 PM
sbassett updated the task description. (Show Details)Sep 24 2020, 8:56 PM
sbassett updated the task description. (Show Details)Sep 24 2020, 8:58 PM
sbassett updated the task description. (Show Details)Sep 28 2020, 4:57 PM
sbassett added a comment.EditedSep 28 2020, 6:19 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.9/1.34.3/1.35.0)

Greetings-

With the security/maintenance release of MediaWiki 1.31.9/1.34.3/1.35.0 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

MobileFrontend

+ (T238075) - Alert group Cookie(s) without HttpOnly flag are set due to default configuration
< https://gerrit.wikimedia.org/r/q/I8e84f1cbc8878974532b511cebd9de40c5de55c6 >

MobileFrontend

+ (T262213, CVE-2020-26120) - XSS on Pages viewed within MobileFrontend extension
< https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea >

CentralAuth

+ (T260485, CVE-2020-25869) - CentralAuth uses wrong actor ID when locally suppressing the user
< https://gerrit.wikimedia.org/r/q/Iaa886a1824e5a74f4501ca7e28917c780222aac0 >
< https://gerrit.wikimedia.org/r/q/I2336954c665366a99f9995df9b08071d4de6db79 >

FileImporter

+ (T262628, CVE-2020-26121) - FileImporter imports the file even when the target page is protected on Commons
< https://gerrit.wikimedia.org/r/q/Ib852a96afc4dca10516d0510e69c10f9892b351b >

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
[1] https://phabricator.wikimedia.org/T256342
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett closed this task as Resolved.Sep 28 2020, 6:31 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.

Sent.

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000265.html
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048504.html
https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093904.html

sbassett renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.x) to Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0).Sep 28 2020, 6:32 PM
sbassett moved this task from Waiting to Done on the user-sbassett board.
sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".
sbassett mentioned this in T263810: Write and send supplementary release announcement for extensions and skins with security patches (1.31.11/1.35.1).Oct 19 2020, 4:17 PM
tstarling closed subtask T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869) as Resolved.Nov 13 2020, 2:26 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL