Page MenuHomePhabricator
Create Task
Maniphest T285414

Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2)
Closed, ResolvedPublic
Actions

Description

Previous work: T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1)

Maniphest IDExtension or SkinCVE IDREL1_31REL1_35REL1_36master
T286376DataDumpCVE-2021-32774NoNoNoYes
T286385GlobalWatchlistCVE-2021-42046NoNoYes, YesYes, Yes
T286884TranslateCVE-2021-42049YesYesYesYes
T289063Growth ExperimentsCVE-2021-42047NoNoNoYes
T289064Growth ExperimentsCVE-2021-42048NoNoYesYes
T289385SecurePollCVE-2021-42045NoNoNoYes
T289408Growth ExperimentsCVE-2021-42044NoNoNoYes
T290692Growth ExperimentsCVE-2021-42042NoNoNoYes
T287347LoopsCVE-2021-42040NoYesYesYes
T291696CentralAuthCVE-2021-42041NoYesYesYes
T291600MediaSearchCVE-2021-42043NoNoNoYes

n.b. T279090 (ReplaceText) was included as part of the primary security release (T285404)
n.b. Should T281923 be included? (No)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReedyT266419 Composer 2.0 updates and support
 ResolvedReedyT266421 Rebuild mediawiki-vendor on composer 2.0
 ResolvedReedyT275824 Bump wikimedia/composer-merge-plugin in vendor
 ResolvedtstarlingT248908 composer-merge-plugin support for composer 2.0
Restricted Task
 ResolvedJdforrester-WMFT279857 Re-build CI containers with Composer 2.x
 ResolvedJdforrester-WMFT281294 Drop CI for REL1_31 branch once it's EOL
 ResolvedAklapperT230582 Archive Oracle Database project
 ResolvedAklapperT230583 Archive MSSQL project
 ResolvedReedyT279858 Formally EOL REL1_31
 ResolvedReedyT285404 Release MediaWiki 1.31.16/1.35.4/1.36.2
 ResolvedMstylesT285414 Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2)
 ResolvedSecuritysbassettT286376 Add DataDump CVE-2021-32774 to extensions security announcement
 ResolvedSecurityRhinosF1T279090 CVE-2021-41801: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked)
Restricted Task
 ResolvedSecurityLegoktmT289385 Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045)
 ResolvedSecurityDannyS712T286385 XSS in GlobalWatchlist (CVE-2021-42046)
 ResolvedSecurity Urbanecm_WMFT289063 Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047)
 ResolvedSecurity mewophT289064 Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048)
 ResolvedSecurity Urbanecm_WMFT289408 Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044)
 ResolvedSecurity Urbanecm_WMFT290692 Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042)
 ResolvedSecurityTheVoidwalkerT287347 Loops can cause php-fpm exhaustion (CVE-2021-42040)

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy added projects: Security, MediaWiki-Releasing.Jun 23 2021, 5:25 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 23 2021, 5:25 PM
Reedy added a parent task: T285404: Release MediaWiki 1.31.16/1.35.4/1.36.2.Jun 23 2021, 5:25 PM
DannyS712 updated the task description. (Show Details)Jun 23 2021, 10:14 PM
sbassett claimed this task.Jun 29 2021, 10:12 PM
sbassett triaged this task as Low priority.
sbassett added a project: user-sbassett.
sbassett updated the task description. (Show Details)Jun 30 2021, 8:32 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 2 2021, 8:39 PM
DannyS712 mentioned this in T284403: WikiLambda extension (wikilambda_edit action) is missing CSRF protection.Jul 10 2021, 3:27 AM
Reedy added a subtask: T286376: Add DataDump CVE-2021-32774 to extensions security announcement.Jul 10 2021, 2:32 PM
sbassett added a subtask: T279090: CVE-2021-41801: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked).Jul 12 2021, 4:56 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T286385: XSS in GlobalWatchlist (CVE-2021-42046).Jul 14 2021, 8:29 PM
sbassett updated the task description. (Show Details)
sbassett added a subtask: Restricted Task.Jul 20 2021, 1:55 AM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T287347: Loops can cause php-fpm exhaustion (CVE-2021-42040).Jul 26 2021, 9:06 PM
Reedy updated the task description. (Show Details)Aug 4 2021, 7:04 PM
sbassett closed subtask T286376: Add DataDump CVE-2021-32774 to extensions security announcement as Resolved.Aug 4 2021, 7:04 PM
sbassett updated the task description. (Show Details)Aug 18 2021, 8:02 PM
sbassett mentioned this in T289063: Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047).Aug 18 2021, 8:08 PM
sbassett mentioned this in T289064: Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048).
Legoktm added a subtask: T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045).Aug 20 2021, 11:22 PM
Legoktm updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Aug 23 2021, 8:50 PM
sbassett updated the task description. (Show Details)Sep 10 2021, 2:49 AM
sbassett mentioned this in T290692: Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042).Sep 10 2021, 2:56 AM
sbassett updated the task description. (Show Details)Sep 10 2021, 3:01 AM
sbassett updated the task description. (Show Details)Sep 10 2021, 3:03 AM
sbassett added subtasks: T286385: XSS in GlobalWatchlist (CVE-2021-42046), T289063: Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047), T289064: Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048), T289408: Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044), T290692: Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042).Sep 10 2021, 3:06 AM
sbassett updated the task description. (Show Details)Sep 13 2021, 4:11 PM
sbassett added a subtask: T287347: Loops can cause php-fpm exhaustion (CVE-2021-42040).
sbassett updated the task description. (Show Details)Sep 24 2021, 8:52 PM
sbassett mentioned this in T291696: XSS vulnerability in the 'setchange' log (CVE-2021-42041).
sbassett updated the task description. (Show Details)Sep 24 2021, 9:15 PM
sbassett added a subscriber: Zabe.Sep 27 2021, 3:50 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Sep 29 2021, 4:04 PM
sbassett updated the task description. (Show Details)Sep 29 2021, 9:44 PM
Reedy closed subtask T279090: CVE-2021-41801: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked) as Resolved.Sep 30 2021, 5:02 PM
DannyS712 mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Sep 30 2021, 7:18 PM
sbassett updated the task description. (Show Details)Sep 30 2021, 8:35 PM
sbassett updated the task description. (Show Details)Sep 30 2021, 8:39 PM
sbassett updated the task description. (Show Details)Sep 30 2021, 8:47 PM
sbassett updated the task description. (Show Details)Sep 30 2021, 8:49 PM
sbassett updated the task description. (Show Details)Oct 1 2021, 8:30 PM
sbassett updated the task description. (Show Details)Oct 1 2021, 8:33 PM
sbassett closed subtask T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045) as Resolved.
Mstyles updated the task description. (Show Details)Oct 1 2021, 11:41 PM
sbassett updated the task description. (Show Details)Oct 4 2021, 7:08 PM
sbassett updated the task description. (Show Details)Oct 4 2021, 7:11 PM
Restricted Application added a project: User-RhinosF1. · View Herald TranscriptOct 4 2021, 7:11 PM
sbassett closed subtask T287347: Loops can cause php-fpm exhaustion (CVE-2021-42040) as Resolved.Oct 4 2021, 7:18 PM
sbassett closed subtask Restricted Task as Resolved.Oct 4 2021, 9:00 PM
sbassett closed subtask T286385: XSS in GlobalWatchlist (CVE-2021-42046) as Resolved.Oct 4 2021, 9:12 PM
DannyS712 reopened subtask T286385: XSS in GlobalWatchlist (CVE-2021-42046) as Open.Oct 4 2021, 10:42 PM
sbassett updated the task description. (Show Details)Oct 5 2021, 2:41 PM
DannyS712 closed subtask T286385: XSS in GlobalWatchlist (CVE-2021-42046) as Resolved.Oct 5 2021, 3:47 PM
sbassett added a comment.EditedOct 5 2021, 7:11 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.16/1.35.4/1.36.2)

Greetings-

With the security/maintenance release of MediaWiki 1.31.16/1.35.4/1.36.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

DataDump

+ (T286376, CVE-2021-32774) - Potential CSRF generating dumps
https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b

GlobalWatchlist

+ (T286385, CVE-2021-42046) - XSS in GlobalWatchlist
https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d
https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983

Translate

+ (T286884, CVE-2021-42049) - Oversight action not reversible in translated page
<https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 >

GrowthExperiments

+ (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins
<https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/720088 >

GrowthExperiments

+ (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts
<https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 >

SecurePoll

+ (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS
https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578

Growth Experiments

+ (T289408, CVE-2021-42044) - Permanent XSS exploitable by wiki admins (client-side part)
https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6

Growth Experiments

+ (T290692, CVE-2021-42042) - Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig
https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f

Loops

+ (T287347, CVE-2021-42040) - Loops can cause php-fpm exhaustion
https://gerrit.wikimedia.org/r/q/I0caf6f129f94612b5bcf406a171aa5ffedea1f80

CentralAuth

+ (T291696, CVE-2021-42041) - XSS vulnerability in the 'setchange' log
https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35

MediaSearch

+ (T291600, CVE-2021-42043) - XSS on Special:MediaSearch
https://gerrit.wikimedia.org/r/q/If64eb5842237c92290d07ebc3fe14710d9de3fc2

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
[1] https://phabricator.wikimedia.org/T285414
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett added a comment.Oct 5 2021, 7:57 PM

Update: I have requested CVEs from Mitre for the last 5 extensions within the table:

  1. T289408: Mentor dashboard: Permanent XSS exploitable by wiki admins (client-side part) (CVE-2021-42044)
  2. T290692: Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig (CVE-2021-42042)
  3. T287347: Loops can cause php-fpm exhaustion (CVE-2021-42040)
  4. T291696: XSS vulnerability in the 'setchange' log (CVE-2021-42041)
  5. T291600: XSS on Special:MediaSearch (CVE-2021-42043)
DannyS712 subscribed.Oct 5 2021, 8:00 PM

@sbassett whats the deadline to solve a security issue for it to be included in this release?

sbassett added a comment.Oct 5 2021, 8:01 PM
In T285414#7403590, @DannyS712 wrote:

@sbassett whats the deadline to solve a security issue for it to be included in this release?

Probably a day or two ago? Next supplemental is already tracked at T292236.

DannyS712 added a comment.Oct 5 2021, 8:02 PM

Okay, nevermind then - it can wait

sbassett added a comment.Oct 5 2021, 8:05 PM

@DannyS712 - Also keep in mind that nothing included within these supplemental releases is typically held for any reason, like core and bundled patches are for the regular security release. Anything on here can be deployed, backported and then disclosed as soon as those things can happen, and then just mentioned in this release later on for additional exposure.

DannyS712 added a comment.Oct 5 2021, 8:06 PM
In T285414#7403610, @sbassett wrote:

@DannyS712 - Also keep in mind that nothing included within these supplemental releases is typically held for any reason, like core and bundled patches are for the regular security release. Anything on here can be deployed, backported and then disclosed as soon as those things can happen, and then just mentioned in this release later on for additional exposure.

Okay, thanks. I was thinking specifically about T292578

Mstyles updated the task description. (Show Details)Oct 7 2021, 8:28 PM
sbassett updated the task description. (Show Details)Oct 7 2021, 8:31 PM
Mstyles subscribed.Oct 7 2021, 8:48 PM

email draft

== GlobalWatchlist ==
+ (T286385, CVE-2021-42046) - XSS in GlobalWatchlist
<https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d>
<https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983>

== Translate ==
+ (T286884, CVE-2021-42049) - Oversight action not reversible in translated page
<https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 >

== GrowthExperiments ==
+ (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins
<https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/720088 >

== GrowthExperiments ==
+ (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts 
<https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 >

== SecurePoll ==
+ (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS 
<https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578>
sbassett closed this task as Resolved.Oct 7 2021, 9:07 PM
sbassett reassigned this task from sbassett to Mstyles.
sbassett subscribed.

And sent, via @Mstyles!

sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Oct 7 2021, 9:08 PM
sbassett changed the edit policy from "acl*security (Project)" to "All Users".
Restricted Application added subscribers: Reception123, RhinosF1. · View Herald TranscriptOct 7 2021, 9:08 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.Oct 7 2021, 9:08 PM
sbassett mentioned this in T293341: MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147).Oct 14 2021, 3:57 PM
Reedy updated the task description. (Show Details)Jan 4 2022, 4:04 PM
Maintenance_bot moved this task from Radar to Done on the User-RhinosF1 board.Jan 4 2022, 4:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits