Page MenuHomePhabricator
Create Task
Maniphest T292351

CVE-2021-41118: ReDOS in DPL3
Closed, ResolvedPublicSecurity
Actions

Description

In DPL3 before 3.3.6, a ReDOS vulnerability exists.

For users of 1.35, no fixed version is unfortunately available (only supports 1.36/1.37).

https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4 has been published.

Users of 1.35 should Set $wgDplSettings['functionalRichness'] = 0;

Please add to the extension supplemental announcement

Details

Author Affiliation
Wikimedia Communities

Related Objects
Search...

Event Timeline

RhinosF1 created this task.Oct 2 2021, 9:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 2 2021, 9:03 PM
RhinosF1 added projects: User-RhinosF1, user-sbassett, Vuln-DoS, MediaWiki-extensions-Other.Oct 2 2021, 9:04 PM
RhinosF1 added a subscriber: sbassett.
Reedy added a parent task: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Oct 4 2021, 3:40 PM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.Oct 4 2021, 3:51 PM
RhinosF1 renamed this task from ReDOS in DPL3 to CVE-2021-41118: ReDOS in DPL3.Oct 4 2021, 5:08 PM
RhinosF1 updated the task description. (Show Details)
RhinosF1 updated the task description. (Show Details)Oct 4 2021, 5:18 PM
sbassett mentioned this in T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).Oct 4 2021, 6:50 PM
sbassett removed a project: user-sbassett.Oct 5 2021, 7:07 PM
sbassett closed this task as Resolved.Dec 21 2021, 5:30 PM
sbassett claimed this task.
sbassett triaged this task as Low priority.
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 10 2022, 6:10 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot moved this task from Radar to Done on the User-RhinosF1 board.Jan 10 2022, 6:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL