Page MenuHomePhabricator
Create Task
Maniphest T301064

Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI
Closed, ResolvedPublicSecurity
Actions

Description

Targeting both the most recent Mediawiki 1.35 and 1.36 based Wikibase releases, i.e. 1.35.5-wmde3, and 1.36.3-wmde4.

Issues for which fixes are to be included:
T297686: Wikidata Query UI lets users build links with arbitrary link text and javascript: URL
T298839: XSS in WDQS query helper
T298871: XSS in WDQS UI result view explore button

Once the Wikibase releases are published, security fixes applied to Wikidata and wikibase.cloud, the relevant issues and tasks can be made public and closed.

Details

Author Affiliation
Wikimedia Deutschland

Related Objects
Search...

Event Timeline

WMDE-leszek created this task.Feb 6 2022, 11:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 6 2022, 11:55 AM
WMDE-leszek added a project: Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022).Feb 6 2022, 11:56 AM
WMDE-leszek moved this task from Backlog to Not prioritized/Not Ready/Other on the Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022) board.Feb 6 2022, 12:10 PM
WMDE-leszek moved this task from Not prioritized/Not Ready/Other to Backlog on the Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022) board.
Reedy renamed this task from Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI. to Publish maintenance releases of Wikibase including fixes to XSS vulnerabilities in the Query Service UI.Feb 7 2022, 4:45 PM
Reedy edited projects, added SecTeam-Processed; removed Security-Team.
Addshore claimed this task.Feb 9 2022, 2:34 PM
Addshore moved this task from Backlog to Doing on the Wikibase Suite Team (Wikibase Suite Maintenance Releases Feb 2022) board.
Addshore added a parent task: T301359: Prepare wmde.5 (1.36) minor / security release.Feb 9 2022, 3:01 PM
Addshore added a subscriber: Lydia_Pintscher.Feb 10 2022, 10:11 AM
Addshore closed this task as Resolved.Feb 10 2022, 7:10 PM
Addshore changed the visibility from "Custom Policy" to "Public (No Login Required)".
Addshore changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits