Page MenuHomePhabricator
Create Task
Maniphest T279733

Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T270466

Maniphest IDExtension or SkinCVE IDREL1_31REL1_35REL1_36master
T281043SocialProfileCVE-2021-36130YesYesYesYes
T281196SportsTeamsCVE-2021-36131NoNoNoYes
T280590FileImporterCVE-2021-36132NoYesYesYes
T281417ManageWikiCVE-2021-29483NoNoNoYes
T260865CentralAuthCVE-2021-36125NoYesYesYes
T281972CentralAuthCVE-2021-36128NoNoYesYes
T282932TranslateCVE-2021-36129YesYesYesYes
T284364AbuseFilterCVE-2021-36126NoNoYesYes
T285190CentralAuthCVE-2021-36127YesYesYesYes

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Apr 8 2021, 10:31 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2021, 10:31 PM
Reedy added a parent task: T279725: Release MediaWiki 1.31.15/1.35.3/1.36.1.Apr 8 2021, 10:31 PM
DannyS712 updated the task description. (Show Details)Apr 13 2021, 2:02 AM
sbassett claimed this task.Apr 13 2021, 3:42 PM
sbassett triaged this task as Low priority.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Apr 13 2021, 3:44 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 17 2021, 1:00 AM
sbassett updated the task description. (Show Details)Apr 23 2021, 8:20 PM
sbassett updated the task description. (Show Details)Apr 27 2021, 6:05 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 28 2021, 9:34 PM
Restricted Application added a project: User-RhinosF1. · View Herald TranscriptApr 28 2021, 9:34 PM
sbassett updated the task description. (Show Details)Apr 28 2021, 9:36 PM
sbassett updated the task description. (Show Details)
DannyS712 removed a project: User-RhinosF1.Apr 28 2021, 9:59 PM
sbassett added a project: Security-Team.May 3 2021, 2:37 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett updated the task description. (Show Details)May 5 2021, 8:32 PM
sbassett updated the task description. (Show Details)May 17 2021, 2:38 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T260865: Very long usernames can cause an infinite loop when loading Special:GlobalRenameRequest (CVE-2021-36125).May 17 2021, 9:49 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett mentioned this in T282932: Aggregategroups Action API module allows deleting translatable page metadata for any group without trace (CVE-2021-36129).May 25 2021, 9:49 PM
sbassett updated the task description. (Show Details)Jun 2 2021, 10:17 PM
sbassett mentioned this in T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128).Jun 2 2021, 10:19 PM
sbassett updated the task description. (Show Details)Jun 3 2021, 9:04 PM
sbassett updated the task description. (Show Details)Jun 7 2021, 9:14 PM
sbassett mentioned this in T284364: Bad english MediaWiki:Abusefilter-blocker breaks filters (CVE-2021-36126).Jun 7 2021, 9:17 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.32.15/1.35.3) to Write and send supplementary release announcement for extensions and skins with security patches (1.32.15/1.35.3/1.36.1).Jun 8 2021, 12:33 AM
Mstyles updated the task description. (Show Details)Jun 21 2021, 9:18 PM
DannyS712 mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Jun 23 2021, 10:14 PM
DannyS712 renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.32.15/1.35.3/1.36.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Jun 23 2021, 10:17 PM
sbassett updated the task description. (Show Details)EditedJun 29 2021, 10:05 PM

Update: I hope to have this out by the end of this week (2021-07-02) before the WMF takes its summer refresh/vacation break the following week.

sbassett updated the task description. (Show Details)Jun 30 2021, 8:33 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 9:33 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 9:46 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 10:01 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 10:13 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 10:28 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 10:38 PM
sbassett updated the task description. (Show Details)Jul 1 2021, 10:45 PM
sbassett updated the task description. (Show Details)Jul 2 2021, 7:49 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 2 2021, 7:54 PM
sbassett updated the task description. (Show Details)Jul 2 2021, 8:01 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 2 2021, 8:03 PM
sbassett updated the task description. (Show Details)
sbassett added a comment.EditedJul 2 2021, 8:16 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.15/1.35.3/1.36.1)

Greetings-

With the security/maintenance release of MediaWiki 1.31.15/1.35.3/1.36.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

== SocialProfile ==
+ (T281043, CVE-2021-36130) - Stored XSS in various SystemGifts-related special pages
< https://gerrit.wikimedia.org/r/q/Id915eba45497a1a0dc1c4e00818a2fd4c0ce55d3 >

== SportsTeams ==
+ (T281196, CVE-2021-36131) - Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams
< https://gerrit.wikimedia.org/r/691913 >

== FileImporter ==
+ (T280590, CVE-2021-36132) - Special:ImportFile does not check permissions from own config FileImporterRequiredRight
< https://gerrit.wikimedia.org/r/q/I8ff2a67abd2c118a3469e4410eac2a451bfa76c3 >

== ManageWiki ==
+ (T281417, CVE-2021-29483) - 'wikiconfig' API leaked private config variables
< https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv >

== CentralAuth ==
+ (T260865, CVE-2021-36125) - Very long usernames can cause an infinite loop when loading Special:GlobalRenameRequest
< https://gerrit.wikimedia.org/r/q/I97d8b3236b5abed8ba9a9c4d3ab5050c2e782c22 >
+ (T281972, CVE-2021-36128) - Disable autoblocks for CentralAuth-issued suppression blocks
< https://gerrit.wikimedia.org/r/q/I15d14c88a1e30df92c470bc191c4ee573172d4d1 >
+ (T285190, CVE-2021-36127) - Special:GlobalUserRights reveals existence of globally suppressed users
< https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec >

== Translate ==
+ (T282932, CVE-2021-36129) - Aggregategroups Action API module allows deleting translatable page metadata for any group without trace
< https://gerrit.wikimedia.org/r/q/I3619a7e88c2eb979babb7b027d4fdbfabc0af792 >

== AbuseFilter ==
+ (T284364, CVE-2021-36126) - Bad english MediaWiki:Abusefilter-blocker breaks filters
< https://gerrit.wikimedia.org/r/q/I9e9f44b7663e810de70fb9ac7f6760f83dd4895b >

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/
[1] https://phabricator.wikimedia.org/T279733
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

DannyS712 subscribed.Jul 2 2021, 8:19 PM
In T279733#7194995, @sbassett wrote:

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.15/1.35.3/1.36.1)

I see that there are three different section headings for CentralAuth - can they be combined?

sbassett added a comment.Jul 2 2021, 8:23 PM
In T279733#7194999, @DannyS712 wrote:

I see that there are three different section headings for CentralAuth - can they be combined?

Sure, see above.

sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Jul 2 2021, 8:30 PM
sbassett changed the edit policy from "acl*security (Project)" to "All Users".
Restricted Application added a subscriber: Reception123. · View Herald TranscriptJul 2 2021, 8:30 PM
sbassett closed this task as Resolved.EditedJul 2 2021, 8:31 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.

Sent.

n.b. hyperkitty does not care for angle brackets wrapped around URLs.

sbassett moved this task from In Progress to Done on the user-sbassett board.Jul 2 2021, 8:31 PM
sbassett updated the task description. (Show Details)Jul 2 2021, 8:35 PM
sbassett updated the task description. (Show Details)Jul 2 2021, 8:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits