Page MenuHomePhabricator
Create Task
Maniphest T263809

Obtain CVEs for 1.31.11/1.35.1 security releases
Closed, ResolvedPublic
Actions

Description

To be obtained:

  • (T268894) Message recentchanges-legend-watchlistexpiry can contain raw html. CVE-2020-35474
  • (T268917) Messages userrights-expiry-current and userrights-expiry-none can contains raw html. CVE-2020-35475
  • (T268938) BlockLogFormatter can output raw html.
  • (T205908) Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
  • (T120883) Divergent behavior for contributions and user pages of hidden users and missing users.

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 24 2020, 11:29 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 24 2020, 11:29 PM
Reedy added a parent task: T263802: Release MediaWiki 1.31.11/1.35.1.Sep 24 2020, 11:29 PM
Reedy renamed this task from Obtain CVEs for 1.31.11/1.34.5/1.35.1 security releases to Obtain CVEs for 1.31.11/1.35.1 security releases.Nov 29 2020, 1:40 AM
Reedy updated the task description. (Show Details)Dec 15 2020, 2:03 PM
Reedy updated the task description. (Show Details)Dec 15 2020, 4:17 PM

CVE's requested for T268894 and T268917 so far

Reedy added a comment.Dec 16 2020, 2:18 AM

Waiting to find out if T268938: BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479) is applicable for REL1_31 (seemingly not).

T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477) needs requesting

And I think we're probably including {T120883}, but requesting a CVE is a bit... icky as it's "ongoing fixes" etc

Reedy updated the task description. (Show Details)Dec 16 2020, 12:19 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 1:17 PM

CVE requested for T268938: BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479)

Reedy added a comment.EditedDec 16 2020, 1:24 PM

And T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477)

Reedy updated the task description. (Show Details)Dec 16 2020, 1:24 PM
Reedy updated the task description. (Show Details)Dec 16 2020, 1:30 PM
Reedy closed this task as Resolved.Dec 16 2020, 8:00 PM
Reedy claimed this task.

CVE's all listed on T263803: Tracking bug for MediaWiki 1.31.11/1.35.1

Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Dec 18 2020, 12:25 AM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits