Page MenuHomePhabricator

Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2)
Closed, ResolvedPublic

Related Objects

StatusSubtypeAssignedTask
OpenNone
ResolvedReedy
ResolvedReedy
Resolvedtstarling
ResolvedJdforrester-WMF
ResolvedJdforrester-WMF
ResolvedAklapper
ResolvedAklapper
ResolvedReedy
ResolvedReedy
ResolvedMstyles
ResolvedSecuritysbassett
ResolvedSecurityRhinosF1
ResolvedSecurityLegoktm
ResolvedSecurityDannyS712
ResolvedSecurityUrbanecm_WMF
ResolvedSecuritymewoph
ResolvedSecurityUrbanecm_WMF
ResolvedSecurityUrbanecm_WMF
ResolvedSecurityTheVoidwalker

Event Timeline

sbassett triaged this task as Low priority.
sbassett added a project: user-sbassett.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett closed subtask Restricted Task as Resolved.Oct 4 2021, 9:00 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.16/1.35.4/1.36.2)

Greetings-

With the security/maintenance release of MediaWiki 1.31.16/1.35.4/1.36.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

DataDump

+ (T286376, CVE-2021-32774) - Potential CSRF generating dumps
https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b

GlobalWatchlist

+ (T286385, CVE-2021-42046) - XSS in GlobalWatchlist
https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d
https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983

Translate

+ (T286884, CVE-2021-42049) - Oversight action not reversible in translated page
<https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 >

GrowthExperiments

+ (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins
<https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/720088 >

GrowthExperiments

+ (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts
<https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 >

SecurePoll

+ (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS
https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578

Growth Experiments

+ (T289408, CVE-2021-42044) - Permanent XSS exploitable by wiki admins (client-side part)
https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6

Growth Experiments

+ (T290692, CVE-2021-42042) - Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig
https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f

Loops

+ (T287347, CVE-2021-42040) - Loops can cause php-fpm exhaustion
https://gerrit.wikimedia.org/r/q/I0caf6f129f94612b5bcf406a171aa5ffedea1f80

CentralAuth

+ (T291696, CVE-2021-42041) - XSS vulnerability in the 'setchange' log
https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35

MediaSearch

+ (T291600, CVE-2021-42043) - XSS on Special:MediaSearch
https://gerrit.wikimedia.org/r/q/If64eb5842237c92290d07ebc3fe14710d9de3fc2

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
[1] https://phabricator.wikimedia.org/T285414
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

@sbassett whats the deadline to solve a security issue for it to be included in this release?

@sbassett whats the deadline to solve a security issue for it to be included in this release?

Probably a day or two ago? Next supplemental is already tracked at T292236.

Okay, nevermind then - it can wait

@DannyS712 - Also keep in mind that nothing included within these supplemental releases is typically held for any reason, like core and bundled patches are for the regular security release. Anything on here can be deployed, backported and then disclosed as soon as those things can happen, and then just mentioned in this release later on for additional exposure.

@DannyS712 - Also keep in mind that nothing included within these supplemental releases is typically held for any reason, like core and bundled patches are for the regular security release. Anything on here can be deployed, backported and then disclosed as soon as those things can happen, and then just mentioned in this release later on for additional exposure.

Okay, thanks. I was thinking specifically about T292578

email draft

== GlobalWatchlist ==
+ (T286385, CVE-2021-42046) - XSS in GlobalWatchlist
<https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d>
<https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983>

== Translate ==
+ (T286884, CVE-2021-42049) - Oversight action not reversible in translated page
<https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 >

== GrowthExperiments ==
+ (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins
<https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/720088 >

== GrowthExperiments ==
+ (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts 
<https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 >

== SecurePoll ==
+ (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS 
<https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578>
sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Oct 7 2021, 9:08 PM
sbassett changed the edit policy from "acl*security (Project)" to "All Users".