Page MenuHomePhabricator

Apply changes from 1.35.5 to unsupported legacy branch `REL1_31`
Closed, DeclinedPublic

Description

Just recently a new release of MediaWiki 1.35 (and newer) has been made available. It addresses a couple of security issues. Even though MediaWiki 1.31 is no longer supported, there may be users that are not able/willing to upgrade to more modern versions (e.g. due to heavy customization). Therefore it would be great if those important changes could be made available to them.

Proposed patch: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/747874
This is related to T271037, T34716, T297416, T297574, T297322.

Also cherry-picked change from VisualEditor: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/747703

Event Timeline

Osnard updated the task description. (Show Details)

Wouldn't such actions kind of encourage people to stick to an unsupported insecure branch, instead of upgrading to supported versions?

Legoktm subscribed.

Indeed, REL1_31 is end-of-life and no longer receives support. If people cannot upgrade off of 1.31 at this point, why would they pull in this kind of upstream patch or even check? The published LocalSettings.php mitigations are a much better option IMO, and explicitly call out working on end-of-life versions for this reason.

That said, people should feel free to distribute unofficial patches to those who want them - I already published my own patches for 1.31 (https://salsa.debian.org/mediawiki-team/mediawiki/-/commit/9bceb027353d3258bd638e93c493734b52453251) and even 1.27!! (https://salsa.debian.org/mediawiki-team/mediawiki/-/commit/ff2983c00704b80c967d9b047a67d65f013b562d)

The VisualEditor XSS is pretty hard to exploit (see T293589#7435793), I really see no point in backporting it. That's up to the VisualEditor maintainers though, as it wasn't a bundled extension for 1.31.

Okay, thanks for the feedback. BlueSpice team will deliver those patches in their legacy packages anyways.

I totally agree, that one should have upgraded to 1.35 by now, but unfortunately there are still some older instances around. We will keep having an eye on any security related patches and try to backport them until we have upgraded all the instances we maintain.