Page MenuHomePhabricator
Create Task
Maniphest T263803

Tracking bug for MediaWiki 1.31.11/1.35.1
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Reedy
Sep 24 2020, 11:28 PM
Tags
Referenced Files
F33947148: T120883-v9-1.patch
Dec 16 2020, 2:02 PM
F33947153: T120883-v9-REL1_31.patch
Dec 16 2020, 2:02 PM
F33947141: T120883-v8-1.patch
Dec 16 2020, 1:44 PM
F33942272: T120883.patch (v.8)
Dec 16 2020, 1:32 PM
F33946801: T120883-v8-REL1_31.patch
Dec 16 2020, 1:32 PM
F32423162: T205908.patch
Dec 15 2020, 1:52 PM
Subscribers
Aklapper
DannyS712
Reedy

Description

Previous work: T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0

Tracking bug for next security release, 1.31.11/1.35.1

Maniphest IDCVE IDREL1_31REL1_35master
T268894CVE-2020-35474n/amergedmerged
T268917CVE-2020-35475mergedmergedmerged
T268938CVE-2020-35478, CVE-2020-35479merged (1/2 issues applicable)mergedmerged
T205908CVE-2020-35477
T205908.patch2 KBDownload
T205908.patch2 KBDownload
T205908.patch2 KBDownload
T120883CVE-2020-35480
T120883-v8-REL1_31.patch6 KBDownload
T120883-v9-REL1_31.patch1 KBDownload
T120883-v8-1.patch6 KBDownload
T120883-v9-1.patch1 KBDownload
T120883-v8-1.patch6 KBDownload
T120883-v9-1.patch1 KBDownload

Details

Due Date
Dec 17 2020, 11:59 PM

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 24 2020, 11:28 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 24 2020, 11:28 PM
Reedy added a parent task: T263802: Release MediaWiki 1.31.11/1.35.1.Sep 24 2020, 11:29 PM
sbassett added a subtask: T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477).Nov 2 2020, 8:43 PM
sbassett mentioned this in T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477).
Urbanecm added a subscriber: DannyS712.Nov 2 2020, 9:23 PM
Urbanecm removed a subscriber: DannyS712.
sbassett added a subtask: Restricted Task.Nov 23 2020, 8:32 PM
DannyS712 subscribed.Nov 23 2020, 8:37 PM
Reedy renamed this task from Tracking bug for MediaWiki 1.31.11/1.34.5/1.35.1 to Tracking bug for MediaWiki 1.31.11/1.35.1.Nov 29 2020, 1:38 AM
Reedy set Due Date to Dec 17 2020, 11:59 PM.
Reedy updated the task description. (Show Details)
sbassett added a subtask: T268894: Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474).Dec 7 2020, 5:06 PM
sbassett added a subtask: T268917: Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475).
sbassett added a subtask: T268938: BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479).Dec 7 2020, 5:24 PM
Reedy updated the task description. (Show Details)Dec 15 2020, 1:04 PM
Reedy closed subtask T268894: Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474) as Resolved.Dec 15 2020, 1:23 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy closed subtask T268917: Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475) as Resolved.Dec 15 2020, 1:27 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Dec 15 2020, 1:36 PM
Reedy updated the task description. (Show Details)Dec 15 2020, 1:47 PM
Reedy updated the task description. (Show Details)Dec 15 2020, 1:52 PM
Reedy closed subtask T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477) as Resolved.Dec 15 2020, 1:56 PM
Reedy updated the task description. (Show Details)
DannyS712 added a comment.Dec 15 2020, 3:17 PM

@Reedy can T120883 be included in the release? At least up through patch v8 (v9 isn't deployed yet on WMF wikis)

Reedy added a comment.Dec 15 2020, 3:20 PM
In T263803#6692252, @DannyS712 wrote:

@Reedy can T120883 be included in the release? At least up through patch v8 (v9 isn't deployed yet on WMF wikis)

Maybe. The fact it's upto v8 already, and there's a v9... It doesn't seem the most stable, and it has caused at least some breakages already.

DannyS712 added a comment.Dec 15 2020, 3:37 PM
In T263803#6692257, @Reedy wrote:
In T263803#6692252, @DannyS712 wrote:

@Reedy can T120883 be included in the release? At least up through patch v8 (v9 isn't deployed yet on WMF wikis)

Maybe. The fact it's upto v8 already, and there's a v9... It doesn't seem the most stable, and it has caused at least some breakages already.

Its just that I keep discovering more divergent behavior, and am reusing the same task

Reedy added a comment.Dec 15 2020, 3:45 PM
In T263803#6692305, @DannyS712 wrote:
In T263803#6692257, @Reedy wrote:
In T263803#6692252, @DannyS712 wrote:

@Reedy can T120883 be included in the release? At least up through patch v8 (v9 isn't deployed yet on WMF wikis)

Maybe. The fact it's upto v8 already, and there's a v9... It doesn't seem the most stable, and it has caused at least some breakages already.

Its just that I keep discovering more divergent behavior, and am reusing the same task

You don't really need to keep amending the same patch, unless you're fixing further issues in the same code you've already fixed

Reedy updated the task description. (Show Details)Dec 15 2020, 4:27 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 12:18 PM
Reedy closed subtask T268938: BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479) as Resolved.Dec 16 2020, 1:04 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 1:25 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 1:32 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 1:44 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 2:02 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 7:55 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy mentioned this in T263809: Obtain CVEs for 1.31.11/1.35.1 security releases.Dec 16 2020, 8:00 PM
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Dec 18 2020, 12:26 AM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
DannyS712 closed subtask Restricted Task as Resolved.Dec 18 2020, 1:35 AM
Reedy closed this task as Resolved.Dec 18 2020, 3:18 AM
Reedy claimed this task.
DannyS712 mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Dec 18 2020, 3:19 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits