| RhinosF1 | |
| Jul 26 2021, 7:51 AM |
| F34564401: T287347.patch | |
| Jul 26 2021, 7:08 PM |
In https://phabricator.miraheze.org/T7695,
Extension:Loops has a loop counter that should prevent a loop from executing more than 100 times. > However, simply creating a page with:
{{#while:|true|}}
causes it to loop indefinitely, which hangs php-fpm and consumes all available resources.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T266419 Composer 2.0 updates and support | |||
| Resolved | Reedy | T266421 Rebuild mediawiki-vendor on composer 2.0 | |||
| Resolved | Reedy | T275824 Bump wikimedia/composer-merge-plugin in vendor | |||
| Resolved | tstarling | T248908 composer-merge-plugin support for composer 2.0 | |||
| Restricted Task | |||||
| Resolved | Jdforrester-WMF | T279857 Re-build CI containers with Composer 2.x | |||
| Resolved | Jdforrester-WMF | T281294 Drop CI for REL1_31 branch once it's EOL | |||
| Resolved | Aklapper | T230582 Archive Oracle Database project | |||
| Resolved | Aklapper | T230583 Archive MSSQL project | |||
| Resolved | Reedy | T279858 Formally EOL REL1_31 | |||
| Resolved | Reedy | T285404 Release MediaWiki 1.31.16/1.35.4/1.36.2 | |||
| Resolved | Mstyles | T285414 Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2) | |||
| Resolved | Security | TheVoidwalker | T287347 Loops can cause php-fpm exhaustion (CVE-2021-42040) |
Untagging Security-Team for now. If someone posts a patch for review or this gets to the point where it should be a part of the supplemental security announcement, we can help out with that and track as appropriate.
+1 to the patch above. Since ext:Loops isn't deployed on WMF infrastructure, there's nothing for the Security-Team to do regarding deployment, but we'd recommend:
I'm going to try and find someone with time so we can still get back ports out as soon as Jenkins allows us to reduce the wait after the patch is uploaded
Yes, though I typically wait until the supplemental security release comes out, which is usually around the end of the quarter (September 30, 2021 being the next end of quarter for the WMF).
It has my +2 but I can't say if it's good enough to go through gerrit or not. I leave that to the security team on which method is better to handle this security patch.
For these types of extensions - non-bundled, non-Wikimedia-deployed - the Security-Team typically leaves the decision on the timing of backports to the current maintainers, and then attempts to track them within the quarterly supplemental security announcement. Ideally, some general version of the following steps would be followed by the current maintainers, but given limited resources and imperfect/impossible tracking of where such extensions are production-deployed outside of Wikimedia, they merely serve as guidance:
Turns out I never did this, sorry about that. Anyhow, it's there now. With this task being public and the backports merged, this can definitely be resolved. I like to leave tasks like this open, so that I remember there's something still left to do (CVE) for the supplemental announcement. But that's definitely not a big deal, and if this is cluttering other peoples' boards, etc., it should be resolved.