Page MenuHomePhabricator
Create Task
Maniphest T292236

Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2)

Maniphest IDExtension or SkinCVE IDREL1_35REL1_36REL1_37master
T292351Dynamic Page List 3 / DPL3CVE-2021-41118N/AYesYesYes
T292795CheckUserCVE-2021-46150YesYesYesYes
T293556WikibaseMediaInfoCVE-2021-46146YesYesYesYes
T293341MassEditRegexCVE-2021-46147N/AN/AYesYes
T293749UniversalLanguageSelectorCVE-2021-46149YesYesYesYes
T290808SecurePollCVE-2021-46148YesYesYesYes
T294693WikibaseCVE-2021-45473YesYesYesYes
T296605FileImporterCVE-2021-45474YesYesYesYes
T296578EntitySchema (two patches)CVE-2021-454711, 21, 21, 21, 2
T297570WikibaseCVE-2021-45472YesYesYesYes

n.b. It's probably a good idea to call out the related though not-technically-security-patches for SecurePoll within the next announcement (they're all on the task for that issue).

template

TxxxxxxExtNameCVE-2021-yyyyyNoNoNoNo

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3).Sep 30 2021, 6:46 PM
DannyS712 updated the task description. (Show Details)Sep 30 2021, 7:18 PM
Reedy added a subtask: T292351: CVE-2021-41118: ReDOS in DPL3.Oct 4 2021, 3:40 PM
sbassett triaged this task as Low priority.Oct 4 2021, 6:47 PM
sbassett updated the task description. (Show Details)
sbassett added projects: user-sbassett, Security-Team, Security Team AppSec.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett moved this task from In Progress to Waiting on the user-sbassett board.
sbassett added a subscriber: sbassett.
sbassett updated the task description. (Show Details)Oct 4 2021, 6:50 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).Oct 5 2021, 8:01 PM
sbassett moved this task from Waiting to In Progress on the user-sbassett board.Oct 7 2021, 9:11 PM
sbassett added a subscriber: Mstyles.
sbassett updated the task description. (Show Details)Oct 13 2021, 6:42 PM
sbassett mentioned this in T293341: MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147).Oct 14 2021, 3:57 PM
sbassett updated the task description. (Show Details)Oct 18 2021, 6:42 PM
sbassett mentioned this in T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).Oct 18 2021, 7:12 PM
sbassett updated the task description. (Show Details)Oct 18 2021, 9:44 PM
sbassett updated the task description. (Show Details)Oct 19 2021, 2:40 PM
sbassett updated the task description. (Show Details)Oct 21 2021, 7:10 PM
sbassett updated the task description. (Show Details)Oct 21 2021, 7:14 PM
sbassett updated the task description. (Show Details)Oct 22 2021, 8:48 PM
sbassett updated the task description. (Show Details)Oct 25 2021, 2:42 PM
sbassett updated the task description. (Show Details)Nov 2 2021, 2:39 PM
sbassett mentioned this in T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148).Nov 2 2021, 2:48 PM
sbassett updated the task description. (Show Details)
Reedy added a subtask: T292795: XSS vulnerability in Special:CheckUserLog (CVE-2021-46150).Nov 3 2021, 6:40 PM
Reedy closed subtask T292795: XSS vulnerability in Special:CheckUserLog (CVE-2021-46150) as Resolved.
Reedy added subtasks: T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146), T293341: MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147), T293749: /w/api.php?action=languagesearch denial of service (CVE-2021-46149), T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324), T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148).
Reedy changed the status of subtask T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148) from Open to In Progress.Nov 3 2021, 6:45 PM
sbassett updated the task description. (Show Details)Nov 8 2021, 9:52 PM
sbassett mentioned this in T294693: XSS on page information Wikibase central description (CVE-2021-45473).
sbassett updated the task description. (Show Details)Nov 29 2021, 7:54 PM
sbassett mentioned this in T296605: XSS in Special:ImportFile URL (CVE-2021-45474).Nov 29 2021, 10:23 PM
sbassett mentioned this in T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471).Nov 29 2021, 10:36 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 6 2021, 4:41 PM
sbassett updated the task description. (Show Details)Dec 6 2021, 7:52 PM
Reedy closed subtask T293749: /w/api.php?action=languagesearch denial of service (CVE-2021-46149) as Resolved.Dec 10 2021, 8:20 PM
Reedy closed subtask T293341: MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147) as Resolved.
sbassett updated the task description. (Show Details)Dec 14 2021, 7:06 PM
sbassett mentioned this in T297570: XSS in Wikibase using formatter URL (CVE-2021-45472).
sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Dec 21 2021, 3:33 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 21 2021, 5:29 PM
sbassett closed subtask T292351: CVE-2021-41118: ReDOS in DPL3 as Resolved.
sbassett updated the task description. (Show Details)Dec 21 2021, 5:34 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 5:37 PM
mmartorana updated the task description. (Show Details)Dec 21 2021, 5:37 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 5:39 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 5:41 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 5:44 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 21 2021, 5:50 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 5:52 PM
sbassett updated the task description. (Show Details)
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 21 2021, 8:17 PM
sbassett updated the task description. (Show Details)Dec 21 2021, 10:11 PM
sbassett added a subscriber: mmartorana.Dec 23 2021, 5:16 PM

Processing notes:

Mitre form: https://cveform.mitre.org/

@maryum - Wikibase, FileImporter, EntitySchema (2 patches), Wikibase

@mmartorana - CheckUser, WikibaseMediaInfo, MassEditRegex, UniversalLanguageSelector, SecurePoll

sbassett removed subtasks: T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148), T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324).Dec 23 2021, 5:16 PM
sbassett added a comment.Dec 23 2021, 5:23 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ExName 1

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 2

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 3

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 4

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 5

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 6

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 7

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 8

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 9

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 10

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
[1] https://phabricator.wikimedia.org/T292236
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett added subtasks: T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148), T294693: XSS on page information Wikibase central description (CVE-2021-45473), T296605: XSS in Special:ImportFile URL (CVE-2021-45474), T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471), T297570: XSS in Wikibase using formatter URL (CVE-2021-45472).Dec 23 2021, 5:25 PM
sbassett updated the task description. (Show Details)Dec 23 2021, 5:28 PM
WMDE-leszek added a subscriber: WMDE-leszek.Jan 3 2022, 9:24 AM
WMDE-leszek added subscribers: Addshore, Rosalie_WMDE, toan and 6 others.Jan 3 2022, 9:30 AM
Mstyles updated the task description. (Show Details)Jan 4 2022, 6:06 PM
mmartorana updated the task description. (Show Details)Jan 10 2022, 10:46 AM
mmartorana closed subtask T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471) as Resolved.Jan 10 2022, 6:37 PM
mmartorana closed subtask T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148) as Resolved.Jan 10 2022, 6:40 PM
Mstyles added a comment.Jan 10 2022, 10:45 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

Dynamic Page List 3/ DPL3

+ (T292351, CVE-2021-41118) - ReDOS in DPL3
https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4

CheckUser

+ (T292795, CVE-2021-46150) - XSS Vulnerability in Special:CheckUserLog
https://gerrit.wikimedia.org/r/q/If7cd112e627f47f9aca69b380dde1634bf55f789

WikibaseMediaInfo

+ (T293556, CVE-2021-46146) - Stored XSS via WikibaseMediaInfo caption fields
https://gerrit.wikimedia.org/r/q/I58d37fb59f998f5bec4a018bf9da96a777f8ff78

UniversalLanguageSelector

+ (T293749, CVE-2021-46149) - /w/api.php?action=languagesearch denial of service
https://gerrit.wikimedia.org/r/q/Ide32704cca578b9aecbce34bdcc0ac25c2a09a4d

SecurePoll

+ (T290808, CVE-2021-46148) - Users with no NDA can access confidential information
https://gerrit.wikimedia.org/r/q/Ic7510be487a1bf9215de9ae6cf4a26fad96384c9

Wikibase

+ (T294693, CVE-2021-45473) - XSS on page information Wikibase central description
https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d

FileImporter

+ (T296605, CVE-2021-45474) - XSS in Special:ImportFile URL
https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e

EntitySchema

+ (T296578, CVE-2021-45471) - Globally blocked IPs can edit EntitySchema items
https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9, https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c

Wikibase

+ (T297570, CVE-2021-45472) - XSS in Wikibase using formatter URL
https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

Note: The SecurePoll Extension had other enhancements that were related to the security bug [4] but did not address the security concerns directly. See Phabricator [5] for more information.

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
[1] https://phabricator.wikimedia.org/T292236
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
[4] https://phabricator.wikimedia.org/T290808
[5] https://phabricator.wikimedia.org/T277353

Mstyles added a comment.Jan 10 2022, 10:58 PM

Supplemental announcement is out!

Mstyles changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Jan 10 2022, 10:59 PM
Restricted Application added a subscriber: Universal_Omega. · View Herald TranscriptJan 10 2022, 10:59 PM
Mstyles changed the edit policy from "acl*security (Project)" to "All Users".Jan 10 2022, 11:00 PM
sbassett closed this task as Resolved.Jan 11 2022, 3:06 PM
sbassett claimed this task.
sbassett reassigned this task from sbassett to Mstyles.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett awarded a token.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL