Page MenuHomePhabricator

Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1)
Closed, ResolvedPublic

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3).Sep 30 2021, 6:46 PM
sbassett updated the task description. (Show Details)
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett moved this task from In Progress to Waiting on the user-sbassett board.
sbassett added a subscriber: sbassett.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Dec 21 2021, 8:17 PM

Processing notes:

Mitre form: https://cveform.mitre.org/

@maryum - Wikibase, FileImporter, EntitySchema (2 patches), Wikibase

@mmartorana - CheckUser, WikibaseMediaInfo, MassEditRegex, UniversalLanguageSelector, SecurePoll

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ExName 1

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 2

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 3

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 4

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 5

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 6

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 7

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 8

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 9

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 10

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
[1] https://phabricator.wikimedia.org/T292236
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

Dynamic Page List 3/ DPL3

+ (T292351, CVE-2021-41118) - ReDOS in DPL3
https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4

CheckUser

+ (T292795, CVE-2021-46150) - XSS Vulnerability in Special:CheckUserLog
https://gerrit.wikimedia.org/r/q/If7cd112e627f47f9aca69b380dde1634bf55f789

WikibaseMediaInfo

+ (T293556, CVE-2021-46146) - Stored XSS via WikibaseMediaInfo caption fields
https://gerrit.wikimedia.org/r/q/I58d37fb59f998f5bec4a018bf9da96a777f8ff78

UniversalLanguageSelector

+ (T293749, CVE-2021-46149) - /w/api.php?action=languagesearch denial of service
https://gerrit.wikimedia.org/r/q/Ide32704cca578b9aecbce34bdcc0ac25c2a09a4d

SecurePoll

+ (T290808, CVE-2021-46148) - Users with no NDA can access confidential information
https://gerrit.wikimedia.org/r/q/Ic7510be487a1bf9215de9ae6cf4a26fad96384c9

Wikibase

+ (T294693, CVE-2021-45473) - XSS on page information Wikibase central description
https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d

FileImporter

+ (T296605, CVE-2021-45474) - XSS in Special:ImportFile URL
https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e

EntitySchema

+ (T296578, CVE-2021-45471) - Globally blocked IPs can edit EntitySchema items
https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9, https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c

Wikibase

+ (T297570, CVE-2021-45472) - XSS in Wikibase using formatter URL
https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

Note: The SecurePoll Extension had other enhancements that were related to the security bug [4] but did not address the security concerns directly. See Phabricator [5] for more information.

[0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
[1] https://phabricator.wikimedia.org/T292236
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
[4] https://phabricator.wikimedia.org/T290808
[5] https://phabricator.wikimedia.org/T277353

Mstyles changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Jan 10 2022, 10:59 PM
Mstyles changed the edit policy from "acl*security (Project)" to "All Users".Jan 10 2022, 11:00 PM
sbassett claimed this task.
sbassett reassigned this task from sbassett to Mstyles.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett awarded a token.