⚓ T305209 Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2)

Maniphest ID	Extension or Skin	CVE ID	REL1_35	REL1_36	REL1_37	REL1_38	master
T306174	CreateRedirect	CVE-2022-29547	Yes	Yes	Yes	Yes	Yes
T306290	PrivateDomains	CVE-2022-29903	N/A	N/A	N/A	N/A	Yes
T306463	Semantic Drilldown	CVE-2022-29904	Yes	Yes	Yes	Yes	Yes
T306815	Nimbus	CVE-2022-29907	N/A	N/A	N/A	N/A	Yes
T306741	FanBoxes	CVE-2022-29905	N/A	N/A	N/A	N/A	Yes
T302199	QuizGame	CVE-2022-29906	N/A	N/A	N/A	N/A	Yes
T307028	RSS	CVE-2022-29969, CVE-2022-34491	Yes	Yes	Yes	Yes	Yes
T308659	Wikibase, WikibaseLexeme	CVE-2022-34750	Yes, Yes	N/A	Yes, Yes	Yes, Yes	Yes, Yes

		Status	Subtype	Assigned	Task
		Resolved		Reedy	T305199 Release MediaWiki 1.35.7/1.37.3/1.38.2
		Resolved	Security	Mstyles	T305209 Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2)

Reedy added projects: Security, MediaWiki-Releasing.Mar 31 2022, 10:05 PM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2022, 10:05 PM

Reedy added a parent task: T305199: Release MediaWiki 1.35.7/1.37.3/1.38.2.Mar 31 2022, 10:05 PM

DannyS712 updated the task description. (Show Details)Mar 31 2022, 10:14 PM

sbassett claimed this task.Apr 13 2022, 3:14 PM

sbassett added a project: user-sbassett.

sbassett moved this task from Backlog to In Progress on the user-sbassett board.

sbassett changed the task status from Open to In Progress.Apr 18 2022, 4:12 PM

sbassett triaged this task as Low priority.

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Apr 18 2022, 4:25 PM

sbassett mentioned this in T306174: add to extension supplement for CreateRedirect Auth issues (CVE-2022-29547).Apr 18 2022, 4:27 PM

sbassett updated the task description. (Show Details)Apr 18 2022, 5:09 PM

sbassett updated the task description. (Show Details)Apr 21 2022, 2:45 PM

sbassett updated the task description. (Show Details)Apr 25 2022, 8:06 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Apr 27 2022, 7:29 PM

sbassett mentioned this in T306815: Nimbus skin: XSS via the "Advertise" link interface messages (CVE-2022-29907).

sbassett changed the visibility from "acl*security (Project)" to "sbassett (Scott Bassett)".Apr 27 2022, 7:38 PM

sbassett changed the edit policy from "acl*security (Project)" to "sbassett (Scott Bassett)".

sbassett edited subscribers, added: RhinosF1, sbassett, Mstyles, mmartorana; removed: Aklapper.

sbassett raised the priority of this task from Low to Needs Triage.Apr 27 2022, 7:40 PM

sbassett triaged this task as Low priority.

sbassett changed the visibility from "sbassett (Scott Bassett)" to "Public (No Login Required)".

sbassett changed the edit policy from "sbassett (Scott Bassett)" to "All Users".

sbassett set Security to Software security bug.

sbassett added a project: Security-Team.

sbassett changed the visibility from "Public (No Login Required)" to "Custom Policy".

sbassett changed the subtype of this task from "Task" to "Security Issue".

sbassett changed Author Affiliation from N/A to WMF Technology Dept.

sbassett changed Risk Rating from N/A to Informational.

sbassett changed the edit policy from "All Users" to "Subscribers".

T306741: FanBoxes: classic CSRF in Special:UserBoxes can be added.

Requested CVEs for these (1257973)

RhinosF1 updated the task description. (Show Details)Apr 27 2022, 8:57 PM

RhinosF1 updated the task description. (Show Details)

In T305209#7885767, @RhinosF1 wrote:

T306741: FanBoxes: classic CSRF in Special:UserBoxes can be added.

Added.

Also - for anything that's unsupported on a previous release branch, we've typically been putting N/A for Not Available as it's shorter and a more general description.

In T305209#7885994, @sbassett wrote:

In T305209#7885767, @RhinosF1 wrote:

T306741: FanBoxes: classic CSRF in Special:UserBoxes can be added.

Added.

Also - for anything that's unsupported on a previous release branch, we've typically been putting N/A for Not Available as it's shorter and a more general description.

Table is now up to date. All extensions without a CVE have a request for one outstanding. (RSS also done now)

sbassett updated the task description. (Show Details)Apr 28 2022, 9:23 PM

sbassett mentioned this in T307028: XSS in Extension:RSS when $wgRSSAllowLinkTag = true (CVE-2022-29969).Apr 28 2022, 9:33 PM

RhinosF1 updated the task description. (Show Details)Apr 29 2022, 5:55 AM

RhinosF1 updated the task description. (Show Details)Apr 29 2022, 9:46 PM

RhinosF1 updated the task description. (Show Details)Apr 29 2022, 9:48 PM

RhinosF1 updated the task description. (Show Details)Apr 29 2022, 10:02 PM

RhinosF1 updated the task description. (Show Details)Apr 29 2022, 10:05 PM

RhinosF1 updated the task description. (Show Details)May 2 2022, 7:37 AM

sbassett moved this task from Incoming to In Progress on the Security-Team board.May 16 2022, 4:26 PM

Mstyles updated the task description. (Show Details)Jun 3 2022, 7:43 PM

Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2).Jun 6 2022, 3:02 PM

sbassett updated the task description. (Show Details)Jun 24 2022, 6:43 PM

Update: CVE request submitted for T307028. The one for T308659 might be a bit more involved or even delayed - need to discuss with folks on the bug.

sbassett mentioned this in T308659: Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty (CVE-2022-34750).Jun 24 2022, 6:52 PM

sbassett updated the task description. (Show Details)Jun 27 2022, 6:59 PM

Update: CVE has now been requested for T308659 and a duplicate removal request has been made for T307028.

sbassett updated the task description. (Show Details)Jun 28 2022, 3:26 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.7/1.37.3/1.38.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.7/1.37.3/1.38.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ExName 1

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 2

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 3

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 4

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 5

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 6

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 7

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 8

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/5QKY
[1] https://phabricator.wikimedia.org/T305209
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Lucas_Werkmeister_WMDE updated the task description. (Show Details)Jun 29 2022, 3:29 PM

Lucas_Werkmeister_WMDE subscribed.

DannyS712 mentioned this in T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3).Jul 1 2022, 12:58 AM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.7/1.37.3/1.38.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.7/1.37.3/1.38.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

ExName 1

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 2

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 3

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

ExName 4

+ (Txxxxxx, CVE-2021-yyyyy) - Bug title
<gerrit url>

FanBoxes

+ (T306741, CVE-2022-29905) - Classic CSRF in Special:UserBoxes
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FanBoxes/+/786327

QuizGame

+ (T302199, CVE-2022-29906) - Administrative API module lets unauthenticated requests through
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651

RSS

+ (T307028, CVE-2022-29969) - XSS in Extension:RSS when $wgRSSAllowLinkTag = true;
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RSS/+/787807

Wikibase, WikibaseLexeme

+ (T308659, CVE-2022-34750) - Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/809203/

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/5QKY
[1] https://phabricator.wikimedia.org/T305209
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

sbassett reassigned this task from sbassett to Mstyles.Jul 6 2022, 5:15 PM

sbassett removed a project: user-sbassett.

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.7/1.37.3/1.38.2)

Greetings-

With the security/maintenance release of MediaWiki 1.35.7/1.37.3/1.38.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

Create Redirect

+ (T306174, CVE-2022-29547) - add to extension supplement for CreateRedirect Auth issues
https://gerrit.wikimedia.org/r/q/I7b2069128b917aa1231ae4f9179557d696fdcae0

QuizGame

+ (T302199, CVE-2022-29906) - Administrative API module lets unauthenticated requests through
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651

RSS

+ (T307028, CVE-2022-29969) - XSS in Extension:RSS when $wgRSSAllowLinkTag = true;
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RSS/+/787807

Wikibase, WikibaseLexeme

+ (T308659, CVE-2022-34750) - Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/809203/

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/5QKY
[1] https://phabricator.wikimedia.org/T305209
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Supplemental announcement is out!

Mstyles closed this task as Resolved.Jul 6 2022, 8:27 PM

Mstyles moved this task from In Progress to Our Part Is Done on the Security-Team board.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".

Mstyles changed the edit policy from "Subscribers" to "All Users".

@Mstyles:

(T306174, CVE-2022-29547) - add to extension supplement for CreateRedirect Auth issues
https://gerrit.wikimedia.org/r/q/I7b2069128b917aa1231ae4f9179557d696fdcae0

This is not correct and simply the title of my bug to add it to list. It does not describe the actual issue properly.

@RhinosF1 sorry for the mixup. Hopefully folks can get clarity when they read the phab ticket

Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2)
Closed, ResolvedPublicSecurity
Actions

Description

Details

Related Objects
Search...

Event Timeline

ExName 1

ExName 2

ExName 3

ExName 4

ExName 5

ExName 6

ExName 7

ExName 8

ExName 1

ExName 2

ExName 3

ExName 4

FanBoxes

QuizGame

RSS

Wikibase, WikibaseLexeme

Create Redirect

Private Domains

Semantic Drilldown

Nimbus

FanBoxes

QuizGame

RSS

Wikibase, WikibaseLexeme

Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2)Closed, ResolvedPublicSecurityActions

Description

Details

Related ObjectsSearch...

Event Timeline

ExName 1

ExName 2

ExName 3

ExName 4

ExName 5

ExName 6

ExName 7

ExName 8

ExName 1

ExName 2

ExName 3

ExName 4

FanBoxes

QuizGame

RSS

Wikibase, WikibaseLexeme

Create Redirect

Private Domains

Semantic Drilldown

Nimbus

FanBoxes

QuizGame

RSS

Wikibase, WikibaseLexeme

Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2)
Closed, ResolvedPublicSecurity
Actions

Related Objects
Search...