Page MenuHomePhabricator
Create Task
Maniphest T297896

Apply changes from 1.35.5 to unsupported legacy branch `REL1_31`
Closed, DeclinedPublic
Actions

Description

Just recently a new release of MediaWiki 1.35 (and newer) has been made available. It addresses a couple of security issues. Even though MediaWiki 1.31 is no longer supported, there may be users that are not able/willing to upgrade to more modern versions (e.g. due to heavy customization). Therefore it would be great if those important changes could be made available to them.

Proposed patch: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/747874
This is related to T271037, T34716, T297416, T297574, T297322.

Also cherry-picked change from VisualEditor: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/747703

Related Objects

Event Timeline

Osnard created this task.Dec 16 2021, 4:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2021, 4:31 PM
Osnard updated the task description. (Show Details)Dec 16 2021, 4:34 PM
Osnard updated the task description. (Show Details)
Aklapper added a comment.Dec 16 2021, 4:47 PM

Wouldn't such actions kind of encourage people to stick to an unsupported insecure branch, instead of upgrading to supported versions?

Aklapper added a project: MediaWiki-Releasing.Dec 16 2021, 4:49 PM
Legoktm closed this task as Declined.Dec 16 2021, 5:30 PM
Legoktm subscribed.

Indeed, REL1_31 is end-of-life and no longer receives support. If people cannot upgrade off of 1.31 at this point, why would they pull in this kind of upstream patch or even check? The published LocalSettings.php mitigations are a much better option IMO, and explicitly call out working on end-of-life versions for this reason.

That said, people should feel free to distribute unofficial patches to those who want them - I already published my own patches for 1.31 (https://salsa.debian.org/mediawiki-team/mediawiki/-/commit/9bceb027353d3258bd638e93c493734b52453251) and even 1.27!! (https://salsa.debian.org/mediawiki-team/mediawiki/-/commit/ff2983c00704b80c967d9b047a67d65f013b562d)

The VisualEditor XSS is pretty hard to exploit (see T293589#7435793), I really see no point in backporting it. That's up to the VisualEditor maintainers though, as it wasn't a bundled extension for 1.31.

Osnard added a comment.Dec 17 2021, 8:43 AM

Okay, thanks for the feedback. BlueSpice team will deliver those patches in their legacy packages anyways.

I totally agree, that one should have upgraded to 1.35 by now, but unfortunately there are still some older instances around. We will keep having an eye on any security related patches and try to backport them until we have upgraded all the instances we maintain.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits