Maniphest T270459

Tracking bug for MediaWiki 1.31.13/1.35.2
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Dec 18 2020, 3:13 AM

Tags

Referenced Files

	F34251710: 02-T272386-REL1_31.patch
	Apr 5 2021, 12:13 AM

	F34251708: 02-T272386-REL1_35.patch
	Apr 5 2021, 12:13 AM

	F34251709: 02-T272386-master.patch
	Apr 5 2021, 12:13 AM

	F34251705: 04-T270998-REL1_35.patch
	Apr 5 2021, 12:12 AM

	F34251707: 04-T270998-REL1_31.patch
	Apr 5 2021, 12:12 AM

	F34251706: 04-T270998-master.patch
	Apr 5 2021, 12:12 AM

	F34251703: 01-T270453-REL1_31.patch
	Apr 5 2021, 12:10 AM

	F34251704: 01-T270453-REL1_35.patch
	Apr 5 2021, 12:10 AM

View All 13 Files

Subscribers

Description

Previous work: T263803: Tracking bug for MediaWiki 1.31.11/1.35.1

Tracking bug for next security release, 1.31.13/1.35.2

Maniphest ID	CVE ID	REL1_31	REL1_35	master
T270453	CVE-2021-30153	(not in tarball) 01-T270453-REL1_31.patch1 KBDownload	01-T270453-REL1_35.patch1 KBDownload	0001-SECURITY-Act-like-users-don-t-exist_master.patch1 KBDownload
T270713	CVE-2021-30152	T270713-master.patch1 KBDownload	T270713-master.patch1 KBDownload	T270713-master.patch1 KBDownload
T270988	CVE-2021-30155	04-T270998-REL1_31.patch1 KBDownload	04-T270998-REL1_35.patch1 KBDownload	04-T270998-master.patch1 KBDownload
T272386	CVE-2021-30159	02-T272386-REL1_31.patch959 BDownload	02-T272386-REL1_35.patch1022 BDownload	02-T272386-master.patch924 BDownload
T276843	CVE-2021-20270, CVE-2021-27291	0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch2 KBDownload	merged	merged
T277009	CVE-2021-30158	merged	merged	merged
T278058	CVE-2021-30157	merged	merged	merged
T278014	CVE-2021-30154	merged	merged	merged
T279451	CVE-2021-30458	n/a

Notes:

T274883 never made it into a release, but I figured we'd track it here just in case. There's also a "better" patch that will be pushed through gerrit, as a replacement to the initial production security patch.
T277009 went through gerrit as a low-risk, security-related bug.

Details

Due Date: Apr 8 2021, 10:30 PM

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Reedy	T270458 Release MediaWiki 1.31.13/1.35.2
		Resolved		Reedy	T270459 Tracking bug for MediaWiki 1.31.13/1.35.2
		Resolved	Security	matmarex	T270453 CVE-2021-30153: ApiVisualEditor leaks info about hidden users
		Resolved	Security	Reedy	T270713 CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level
		Resolved	Security	taavi	T270988 CVE-2021-30155: Titleblacklist didn't prevent creation of pages by Special:ChangeContentModel when a rule was met
		Resolved	Security	tstarling	T272386 CVE-2021-30159: Non-admin deleted enwiki page in fast double move
		Resolved	Security	matmarex	T274883 Parse warnings shown in plain wikitext with live preview
		Resolved	Security	Legoktm	T276843 Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 and CVE-2021-27291
		Resolved	Security	matmarex	T277009 CVE-2021-30158: Allow blocked users to access Special:ResetTokens
		Resolved	Security	Grunny	T278058 CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist)
		Resolved	Security	Grunny	T278014 CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles
		Resolved	Security	Arlolra	T279451 CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Dec 18 2020, 3:13 AM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 18 2020, 3:13 AM

Reedy added a parent task: T270458: Release MediaWiki 1.31.13/1.35.2.Dec 18 2020, 3:14 AM

DannyS712 updated the task description. (Show Details)Dec 18 2020, 3:19 AM

Reedy added a subtask: T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users.Dec 21 2020, 4:35 PM

sbassett mentioned this in T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users.Dec 21 2020, 10:31 PM

sbassett changed the status of subtask T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users from Open to Stalled.Dec 22 2020, 3:39 PM

Reedy added a subtask: T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level.Jan 4 2021, 6:12 PM

sbassett added a subtask: T270988: CVE-2021-30155: Titleblacklist didn't prevent creation of pages by Special:ChangeContentModel when a rule was met.Jan 6 2021, 10:40 PM

Reedy added a subtask: T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move.Jan 29 2021, 8:38 PM

sbassett added a subtask: T274883: Parse warnings shown in plain wikitext with live preview.Feb 22 2021, 9:07 PM

sbassett updated the task description. (Show Details)Feb 22 2021, 9:11 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)

sbassett closed subtask T274883: Parse warnings shown in plain wikitext with live preview as Resolved.Feb 26 2021, 8:22 PM

sbassett added a subtask: T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Mar 3 2021, 5:53 PM

Reedy added a subtask: T276843: Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 and CVE-2021-27291.Mar 8 2021, 5:58 PM

sbassett triaged this task as Medium priority.Mar 10 2021, 8:15 PM

sbassett updated the task description. (Show Details)

sbassett mentioned this in T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level.Mar 25 2021, 2:16 PM

Reedy updated the task description. (Show Details)Mar 30 2021, 12:40 AM

Reedy updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Mar 30 2021, 12:42 AM

Reedy added a subtask: T277009: CVE-2021-30158: Allow blocked users to access Special:ResetTokens.

Reedy added a subtask: T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).

Reedy closed subtask T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) as Resolved.Mar 30 2021, 12:45 AM

Reedy updated the task description. (Show Details)

Reedy added a subtask: T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles.

Reedy updated the task description. (Show Details)

Reedy closed subtask T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles as Resolved.Mar 30 2021, 12:48 AM

Reedy updated the task description. (Show Details)Mar 30 2021, 12:51 AM

Reedy updated the task description. (Show Details)Mar 30 2021, 12:56 AM

Reedy changed the status of subtask T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users from Stalled to Open.Mar 30 2021, 1:05 AM

Legoktm updated the task description. (Show Details)Mar 30 2021, 3:57 AM

Reedy updated the task description. (Show Details)Mar 30 2021, 12:19 PM

Reedy set Due Date to Apr 8 2021, 10:30 PM.Mar 31 2021, 6:26 PM

Reedy updated the task description. (Show Details)Apr 4 2021, 9:29 PM

Reedy updated the task description. (Show Details)Apr 4 2021, 9:38 PM

Reedy updated the task description. (Show Details)Apr 4 2021, 9:47 PM

Reedy closed subtask T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level as Resolved.Apr 4 2021, 10:33 PM

Reedy updated the task description. (Show Details)

Reedy closed subtask T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move as Resolved.Apr 4 2021, 10:52 PM

Reedy closed subtask T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users as Resolved.Apr 5 2021, 12:06 AM

Reedy updated the task description. (Show Details)Apr 5 2021, 12:10 AM

Reedy updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Apr 5 2021, 12:13 AM

Reedy closed subtask T276843: Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 and CVE-2021-27291 as Resolved.Apr 5 2021, 12:22 AM

Reedy updated the task description. (Show Details)Apr 5 2021, 12:38 AM

Reedy updated the task description. (Show Details)Apr 6 2021, 7:14 PM

Reedy removed a subtask: T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Apr 6 2021, 8:43 PM

Reedy updated the task description. (Show Details)

Reedy added a subtask: T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Apr 6 2021, 9:12 PM

Reedy updated the task description. (Show Details)

Reedy removed a subtask: T276306: CVE-2021-30156: Special:Contributions toolbar reveals existence of hidden users.Apr 6 2021, 9:28 PM

Reedy updated the task description. (Show Details)

Reedy closed subtask T270988: CVE-2021-30155: Titleblacklist didn't prevent creation of pages by Special:ChangeContentModel when a rule was met as Resolved.Apr 7 2021, 3:10 AM

Legoktm added a subtask: T279451: CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.Apr 7 2021, 11:07 PM

Legoktm updated the task description. (Show Details)Apr 7 2021, 11:12 PM

Legoktm updated the task description. (Show Details)Apr 8 2021, 3:07 AM

Legoktm updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Apr 8 2021, 3:15 PM

Reedy closed this task as Resolved.Apr 8 2021, 9:09 PM

Reedy claimed this task.

Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".

Reedy changed the edit policy from "acl*security (Project)" to "All Users".

Reedy closed subtask T279451: CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags as Resolved.Apr 8 2021, 9:25 PM

DannyS712 mentioned this in T279726: Tracking bug for MediaWiki 1.31.15/1.35.3/1.36.1.Apr 13 2021, 2:00 AM