1.37.1
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Sep 30 2021, 6:37 PM

Description

Previous work: T285405: Tracking bug for MediaWiki 1.31.16/1.35.4/1.36.2

Tracking bug for next security release, 1.35.5/1.36.3/1.37.1

n.b. T292763 already landed in mw core master and, therefore, has been disclosed.

n.b. T294686 is for Nuke, which is bundled and deployed, but the vulnerability in this task was only on master for a week or so, so it was technically disclosed early, but should likely be mentioned within the release announcement.

Maniphest ID	CVE ID	REL1_35	REL1_36	REL1_37	master
T293589	CVE-2021-44855				01-T293589-rev2.patch1 KBDownload
T292763	CVE-2021-44854	merged	merged	merged	merged
T294686	n/a	merged	merged	merged	merged
T271037	CVE-2021-44856	0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch1 KBDownload	0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch1 KBDownload	0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch1 KBDownload	0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch1 KBDownload
T297322	CVE-2021-44857, CVE-2021-44858	0001-SECURITY-Fix-permissions-checks-in-undo-actions-REL1_36.patch5 KBDownload	0001-SECURITY-Fix-permissions-checks-in-undo-actions-REL1_36.patch5 KBDownload	0001-SECURITY-Fix-permissions-checks-in-undo-actions-REL1_37.patch5 KBDownload	0001-SECURITY-Fix-permissions-checks-in-undo-actions-master.patch5 KBDownload
T297574	CVE-2021-45038	0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch1 KBDownload	0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch1 KBDownload	0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch1 KBDownload	0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch1 KBDownload
T297416	n/a	0001-SECURITY-Require-read-right-for-most-actions-REL1_35.patch2 KBDownload	0001-SECURITY-Require-read-right-for-most-actions-REL1_36.patch2 KBDownload	0001-SECURITY-Require-read-right-for-most-actions-REL1_37.patch2 KBDownload	0001-SECURITY-Require-read-right-for-most-actions-master.patch2 KBDownload

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T292226 Release MediaWiki 1.35.5/1.36.3/1.37.1
Resolved		Reedy	T292227 Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1
Resolved	Security	matmarex	T293589 CVE-2021-44855: Blind Stored XSS via Upload Image via URL
Resolved	Security	• nnikkhoui	T292763 CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis
Resolved	Security	Urbanecm	T294686 Special:Nuke isn't working at all
Resolved	Security	matmarex	T271037 CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value
Resolved	Security	Legoktm	T297322 CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo
Resolved	Security	Legoktm	T297574 CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action
Resolved	Security	taavi	T297416 Restrict access to most actions on $wgWhitelistRead pages on private wikis
Open	Feature	None	T34716 $wgWhitelistRead leaks username data (Because it allows viewing ?action=history)

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 30 2021, 6:37 PM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2021, 6:37 PM

Reedy added a parent task: T292226: Release MediaWiki 1.35.5/1.36.3/1.37.1.Sep 30 2021, 6:37 PM

Reedy renamed this task from Tracking bug for MediaWiki 1.31.16/1.35.4/1.36.2 to Tracking bug for MediaWiki 1.35.5/1.36.3.Sep 30 2021, 6:44 PM

Reedy updated the task description. (Show Details)

DannyS712 updated the task description. (Show Details)Sep 30 2021, 7:16 PM

sbassett added a subtask: T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.Oct 18 2021, 9:52 PM

sbassett added a subtask: T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis.Oct 22 2021, 7:34 PM

sbassett updated the task description. (Show Details)

sbassett added a subtask: T294686: Special:Nuke isn't working at all.Nov 1 2021, 3:38 PM

sbassett updated the task description. (Show Details)Nov 1 2021, 3:51 PM

sbassett mentioned this in T294686: Special:Nuke isn't working at all.Nov 1 2021, 3:55 PM

Ladsgroup closed subtask T294686: Special:Nuke isn't working at all as Resolved.Nov 2 2021, 9:25 AM

Reedy closed subtask T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL as Resolved.Nov 3 2021, 6:47 PM

daniel closed subtask T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis as Resolved.Nov 11 2021, 11:44 AM

Reedy renamed this task from Tracking bug for MediaWiki 1.35.5/1.36.3 to Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Nov 24 2021, 5:19 PM

Mstyles added a subtask: T271037: CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.Dec 6 2021, 10:23 PM

sbassett added a subtask: T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .Dec 9 2021, 2:44 AM

Reedy updated the task description. (Show Details)Dec 9 2021, 6:14 PM

Reedy closed subtask T271037: CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value as Resolved.Dec 10 2021, 5:52 PM

Reedy updated the task description. (Show Details)Dec 10 2021, 7:55 PM

Reedy updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Dec 10 2021, 7:58 PM

Reedy updated the task description. (Show Details)Dec 10 2021, 8:07 PM

Reedy changed the task status from Open to In Progress.Dec 10 2021, 8:10 PM

Reedy triaged this task as Medium priority.

Reedy added a subtask: T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action.Dec 13 2021, 2:58 AM

Reedy changed the status of subtask T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action from Open to In Progress.

Reedy changed the status of subtask T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo from Open to In Progress.

Reedy updated the task description. (Show Details)Dec 13 2021, 3:08 AM

Reedy updated the task description. (Show Details)Dec 13 2021, 3:11 AM

Reedy updated the task description. (Show Details)Dec 13 2021, 6:32 PM

Legoktm updated the task description. (Show Details)Dec 15 2021, 1:01 AM

Legoktm updated the task description. (Show Details)Dec 15 2021, 1:05 AM

Legoktm updated the task description. (Show Details)Dec 15 2021, 1:14 AM

Legoktm added subtasks: T297416: Restrict access to most actions on $wgWhitelistRead pages on private wikis, T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history).Dec 15 2021, 3:17 AM

Legoktm mentioned this in T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .Dec 15 2021, 3:19 AM

Reedy closed subtask T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo as Resolved.Dec 15 2021, 7:53 PM

Reedy closed subtask T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action as Resolved.

Reedy closed subtask T297416: Restrict access to most actions on $wgWhitelistRead pages on private wikis as Resolved.

Reedy closed subtask T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history) as Resolved.

Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".

Reedy changed the edit policy from "acl*security (Project)" to "All Users".

Dylsss reopened subtask T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history) as Open.Dec 17 2021, 10:48 PM

Reedy closed this task as Resolved.Dec 22 2021, 1:32 AM

Reedy claimed this task.

Reedy mentioned this in T297830: Tracking bug for MediaWiki 1.35.6/1.36.4/1.37.2.Mar 20 2022, 12:44 PM

	F34884237: 0001-SECURITY-Require-read-right-for-most-actions-master.patch
	Dec 15 2021, 1:14 AM

	F34884238: 0001-SECURITY-Require-read-right-for-most-actions-REL1_37.patch
	Dec 15 2021, 1:14 AM

	F34884240: 0001-SECURITY-Require-read-right-for-most-actions-REL1_35.patch
	Dec 15 2021, 1:14 AM

	F34884239: 0001-SECURITY-Require-read-right-for-most-actions-REL1_36.patch
	Dec 15 2021, 1:14 AM

	F34884234: 0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch
	Dec 15 2021, 1:05 AM

	F34884223: 0001-SECURITY-Fix-permissions-checks-in-undo-actions-master.patch
	Dec 15 2021, 1:01 AM

	F34884224: 0001-SECURITY-Fix-permissions-checks-in-undo-actions-REL1_37.patch
	Dec 15 2021, 1:01 AM

	F34884225: 0001-SECURITY-Fix-permissions-checks-in-undo-actions-REL1_36.patch
	Dec 15 2021, 1:01 AM

Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1Closed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1
Closed, ResolvedPublic
Actions

Related Objects
Search...