Page MenuHomePhabricator
Create Task
Maniphest T297839

Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2)
Closed, ResolvedPublic
Actions

Description

Previous work: T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1)

Maniphest IDExtension or SkinCVE IDREL1_35REL1_36REL1_37master
T285116EchoCVE-2022-28324N/AN/AYesYes
T298019GrowthExperimentsCVE-2022-28326N/AN/AN/AYes
T298581MobileFrontendCVE-2022-28325YesNoYesYes
T298434SecurePollCVE-2022-28323N/AYesYesYes
T294256FileImporterCVE-2022-28206N/AN/AN/AYes
T298312GrowthExperimentsCVE-2022-28207YesYesYesYes
T302248CentralAuthCVE-2022-28205N/AN/AN/AYes, Yes
T302215WikibaseCVE-2022-28208YesYesYesYes
T302192JsonConfigCVE-2021-28210YesYesYesYes
T160800TimedMediaHandlerCVE-2022-28211YesYesYesYes
T304126AntiSpoofCVE-2022-28209N/AYesYesYes
T304354FlaggedRevsCVE-2022-28212N/AN/AYesYes
T226212CentralAuthCVE-2022-28322N/AN/AYesYes

template

TxxxxxxExtNameCVE-2022-yyyyyNoNoNoNo

n.b. For the Echo bug, there is an updated patch here: T285116#7585701
n.b. Two patches for the JsonConfig issue, should be squashed
n.b. Two patches for the CentralAuth issue
possibly include: T302199: QuizGame: Administrative API module lets unauthenticated requests through

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy subscribed.Dec 15 2021, 8:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 15 2021, 8:53 PM
Reedy added a parent task: T297829: Release MediaWiki 1.35.6/1.36.4/1.37.2.Dec 15 2021, 8:53 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Dec 15 2021, 9:11 PM
sbassett assigned this task to Mstyles.Dec 21 2021, 3:30 PM
sbassett subscribed.
sbassett triaged this task as Low priority.Dec 21 2021, 3:33 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Dec 21 2021, 5:42 PM
sbassett added a subtask: T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324).
sbassett mentioned this in T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324).Dec 21 2021, 10:20 PM
sbassett updated the task description. (Show Details)Jan 4 2022, 10:30 PM
sbassett mentioned this in T298019: i18n XSS in GrowthExperiments suggested edits pager (CVE-2022-28326).Jan 4 2022, 11:05 PM
sbassett updated the task description. (Show Details)Jan 5 2022, 5:30 PM
sbassett mentioned this in T298581: Mobile version of Special:Contributions leaks existence of globally suppressed users (CVE-2022-28325).Jan 5 2022, 5:33 PM
sbassett added a project: user-sbassett.Jan 5 2022, 9:58 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 18 2022, 11:19 PM
sbassett updated the task description. (Show Details)
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Jan 25 2022, 4:52 PM
sbassett added a project: Security-Team.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett updated the task description. (Show Details)Jan 25 2022, 4:57 PM
sbassett updated the task description. (Show Details)Feb 1 2022, 3:47 PM
sbassett mentioned this in T294256: FileImporter allows imports to cascade protected files when the importer does not have administrator permissions (CVE-2022-28206).Feb 1 2022, 3:50 PM
sbassett updated the task description. (Show Details)Feb 1 2022, 3:54 PM
sbassett mentioned this in T298312: Special:Impact leaks suppressed usernames (CVE-2022-28207).Feb 1 2022, 3:58 PM
sbassett updated the task description. (Show Details)Feb 22 2022, 4:34 PM
sbassett updated the task description. (Show Details)Feb 22 2022, 4:41 PM
sbassett mentioned this in T302248: CentralAuth expiring global groups do not expire (CVE-2022-28205).Feb 22 2022, 4:46 PM
sbassett updated the task description. (Show Details)Feb 22 2022, 9:05 PM
sbassett mentioned this in T302215: HTML injection / XSS from i18n message in WikibaseClient edit hook (CVE-2022-28208).
sbassett updated the task description. (Show Details)Feb 22 2022, 9:14 PM
sbassett mentioned this in T302192: Data fields in Commons tabular datasets allow running arbitrary JS (CVE-2022-28210).Feb 22 2022, 9:17 PM
sbassett updated the task description. (Show Details)Feb 23 2022, 8:51 PM
sbassett mentioned this in T160800: TimedMediaHandler doesn't prevent blocked users from restarting transcodes (CVE-2022-28211).Mar 14 2022, 9:47 PM
sbassett updated the task description. (Show Details)
Reedy added a subtask: T304126: One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209).Mar 21 2022, 10:31 PM
sbassett updated the task description. (Show Details)Mar 22 2022, 1:20 AM
sbassett updated the task description. (Show Details)Mar 22 2022, 6:54 PM
sbassett mentioned this in T304354: It is impossible to oversight who has reviewed a revision via FlaggedRevs (CVE-2022-28212).Mar 22 2022, 8:04 PM
sbassett updated the task description. (Show Details)Mar 28 2022, 4:34 PM
sbassett added a subscriber: mmartorana.EditedMar 28 2022, 4:37 PM

Freezing task and dividing up CVE requests for release (to be sent out later this week or early next):

  1. @mmartorana: 1 through 4
  2. @sbassett: 5 through 8
  3. @Mstyles: 9 through 12
sbassett updated the task description. (Show Details)Mar 30 2022, 7:19 PM
sbassett updated the task description. (Show Details)Mar 30 2022, 8:39 PM
sbassett updated the task description. (Show Details)Mar 31 2022, 5:33 PM
Mstyles updated the task description. (Show Details)Mar 31 2022, 5:37 PM
sbassett updated the task description. (Show Details)Mar 31 2022, 5:40 PM
Mstyles closed subtask T304126: One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209) as Resolved.Mar 31 2022, 5:44 PM
sbassett updated the task description. (Show Details)Mar 31 2022, 6:22 PM
sbassett updated the task description. (Show Details)Mar 31 2022, 6:56 PM
sbassett updated the task description. (Show Details)
DannyS712 mentioned this in T305209: Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2).Mar 31 2022, 10:14 PM
mmartorana updated the task description. (Show Details)Apr 1 2022, 1:12 PM
sbassett updated the task description. (Show Details)Apr 4 2022, 8:38 PM
sbassett updated the task description. (Show Details)Apr 4 2022, 8:47 PM
sbassett updated the task description. (Show Details)Apr 4 2022, 8:49 PM
sbassett updated the task description. (Show Details)Apr 4 2022, 8:53 PM
sbassett updated the task description. (Show Details)Apr 4 2022, 9:00 PM
sbassett updated the task description. (Show Details)Apr 5 2022, 2:38 PM
sbassett updated the task description. (Show Details)Apr 5 2022, 2:44 PM
sbassett updated the task description. (Show Details)Apr 5 2022, 2:46 PM
Mstyles updated the task description. (Show Details)Apr 5 2022, 4:44 PM
Mstyles updated the task description. (Show Details)Apr 5 2022, 4:47 PM
sbassett closed subtask T285116: Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU (CVE-2022-28324) as Resolved.Apr 5 2022, 5:50 PM
sbassett added a comment.Apr 5 2022, 6:05 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.6/1.36.4/1.37.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.6/1.36.4/1.37.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ExName 1

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 2

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 3

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 4

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 5

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 6

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 7

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 8

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 9

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 10

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 11

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 12

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 13

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>== ExName 10 ==

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/52Am
[1] https://phabricator.wikimedia.org/T297839
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana added a comment.EditedApr 7 2022, 5:29 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.6/1.36.4/1.37.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.6/1.36.4/1.37.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

Echo

+ (T285116, CVE-2022-28324) - Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/Echo/+/777008/

GrowthExperiments

+ (T298019, CVE-2022-28326) - i18n XSS in GrowthExperiments suggested edits pager
<gerrit url>

MobileFrontend

+ (T298581, CVE-2022-28325) - Mobile version of Special:Contributions leaks existence of globally suppressed users
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/MobileFrontend/+/751934/

SecurePoll

+ (T298434, CVE-2022-28323) - SecurePoll leaks voter's exact vote timestamp
<gerrit url>

FileImporter

+ (T294256, CVE-2022-28206) - FileImporter allows imports to cascade protected files when the importer does not have administrator permissions
<gerrit url>

GrowthExperiments

+ (T298312, CVE-2022-28207) - Special:Impact leaks suppressed usernames
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/GrowthExperiments/+/775927/

CentralAuth

+ (T302248, CVE-2022-28205) - CentralAuth expiring global groups do not expire
<gerrit url>

Wikibase

+ (T302215, CVE-2022-28208) - HTML injection / XSS from i18n message in WikibaseClient edit hook
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/Wikibase/+/776032/

JsonConfig

+ (T302192, CVE-2021-28210) - Data fields in Commons tabular datasets allow running arbitrary JS
<gerrit url>

TimedMediaHandler

+ (T160800, CVE-2022-28211) - TimedMediaHandler doesn't prevent blocked users from restarting transcodes
<gerrit url>

AntiSpoof

+ (T304126, CVE-2022-28209) - One of the checks for 'override-antispoof' permission is inverted
<gerrit url>

FlaggedRevs

+ (T304354, CVE-2022-28212) - It is impossible to oversight who has reviewed a revision via FlaggedRevs
<gerrit url>

CentralAuth

+ (T226212, CVE-2022-28322) - Global rename log shows timestamp of suppressed action
<gerrit url>== ExName 10 ==

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/52Am
[1] https://phabricator.wikimedia.org/T297839
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett added a comment.Apr 7 2022, 6:41 PM

@mmartorana - looking pretty good, once we get the rest of the gerrit urls in there...

Mstyles added a comment.Apr 7 2022, 7:02 PM

{{draft}}

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.6/1.36.4/1.37.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.6/1.36.4/1.37.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

Echo

+ (T285116, CVE-2022-28324) - Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU
https://gerrit.wikimedia.org/r/q/I0551fe64042676f8a2b35afb82a3b4e9c09ea673

GrowthExperiments

+ (T298019, CVE-2022-28326) - i18n XSS in GrowthExperiments suggested edits pager
https://gerrit.wikimedia.org/r/q/Iadc224a038ef0cec072cc1d6b84277355648f9f9

MobileFrontend

+ (T298581, CVE-2022-28325) - Mobile version of Special:Contributions leaks existence of globally suppressed users
https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038

SecurePoll

+ (T298434, CVE-2022-28323) - SecurePoll leaks voter's exact vote timestamp
https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038

FileImporter

+ (T294256, CVE-2022-28206) - FileImporter allows imports to cascade protected files when the importer does not have administrator permissions
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/757022

GrowthExperiments

+ (T298312, CVE-2022-28207) - Special:Impact leaks suppressed usernames
https://gerrit.wikimedia.org/r/q/mediawiki/extensions/GrowthExperiments/+/775927/

CentralAuth

+ (T302248, CVE-2022-28205) - CentralAuth expiring global groups do not expire
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765336
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765335

Wikibase

+ (T302215, CVE-2022-28208) - HTML injection / XSS from i18n message in WikibaseClient edit hook
https://gerrit.wikimedia.org/r/q/Ife8620d65577e53b03ef4674f54d1684e2f5a773

JsonConfig

+ (T302192, CVE-2021-28210) - Data fields in Commons tabular datasets allow running arbitrary JS
https://gerrit.wikimedia.org/r/q/Ifa2f6ec9ccce3b781e83a9905392e70d6a7340ad

TimedMediaHandler

+ (T160800, CVE-2022-28211) - TimedMediaHandler doesn't prevent blocked users from restarting transcodes
https://gerrit.wikimedia.org/r/q/I285c7c189af350be22f5de7b1c6757ad7479a20c

AntiSpoof

+ (T304126, CVE-2022-28209) - One of the checks for 'override-antispoof' permission is inverted
https://gerrit.wikimedia.org/r/q/Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7

FlaggedRevs

+ (T304354, CVE-2022-28212) - It is impossible to oversight who has reviewed a revision via FlaggedRevs
https://gerrit.wikimedia.org/r/q/I563bc73829d3a7c6349d364287ba42df78f3c91a

CentralAuth

+ (T226212, CVE-2022-28322) - Global rename log shows timestamp of suppressed action
https://gerrit.wikimedia.org/r/q/Ica7fedf10a4a8cca3d4b811ff05bfd5553753603

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/52Am
[1] https://phabricator.wikimedia.org/T297839
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles added a comment.Apr 7 2022, 7:11 PM

Supplemental announcement is out!

sbassett closed this task as Resolved.Apr 7 2022, 9:24 PM
sbassett changed the visibility from "acl*security (Project)" to "Public (No Login Required)".
sbassett changed the edit policy from "acl*security (Project)" to "All Users".
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett awarded a token.Apr 13 2022, 3:19 PM
Bawolff subscribed.EditedMar 8 2023, 5:24 PM

Just as a note, a lot of these cves for extensions seem to have the product field set to mediawiki, and the version numbers of affected versions set to mediawiki core versions. This is pretty confusing for the extensions not bundled with mediawiki core. I think its causing confusion in downstream packagers of mediawiki - e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2161180 which doesn't make much sense

sbassett added a comment.Mar 8 2023, 6:01 PM
In T297839#8677172, @Bawolff wrote:

Just as a note, a lot of these cves for extensions seem to have the product field set to mediawiki, and the version numbers of affected versions set to mediawiki core versions. This is pretty confusing for the extensions not bundled with mediawiki core. I think its causing confusion in downstream packagers of mediawiki - e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2161180 which doesn't make much sense

We can try to standardize this a bit more for the supplemental releases, but as noted on the other bug, sometimes Mitre changes these inputs from our original submissions. Most mediawiki extensions also track with core releases AFAIK, which is what we try to work with by default, if those release branches exist. If an extension _doesn't_ follow that paradigm, we try to note that within the release and at least link to any master/main backports.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits