Maniphest T311776

Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Jun 30 2022, 9:02 PM

Tags

Referenced Files

	F35538605: T307278-master.patch
	Sep 29 2022, 12:56 AM

	F35538604: T307278-REL1_38.patch
	Sep 29 2022, 12:56 AM

	F35485641: 02-T307278.patch
	Sep 25 2022, 7:18 PM

	F35490459: 0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch
	Sep 25 2022, 7:09 PM

Subscribers

Description

Previous work: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2

Tracking bug for next security release, 1.35.8/1.37.5/1.38.3

Maniphest ID	CVE ID	REL1_35	REL1_37	REL1_38	REL1_39	master
T309894	CVE-2022-41765
T307278	CVE-2022-41766	not affected	T307278-REL1_38.patch1 KBDownload	T307278-REL1_38.patch1 KBDownload	T307278-master.patch1 KBDownload	T307278-master.patch1 KBDownload
T316304	CVE-2022-41767	0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload	0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload	0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload	0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload	0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch1 KBDownload

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Reedy	T311775 Release MediaWiki 1.35.8/1.37.5/1.38.3
		Resolved		Reedy	T311776 Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3
		Resolved	Security	matmarex	T309894 CVE-2022-41765: HTMLUserTextField exposes existence of hidden users
		Resolved	Security	mmartorana	T307278 CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name
		Resolved	Security	Reedy	T316304 CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Jun 30 2022, 9:02 PM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2022, 9:02 PM

Reedy added a parent task: T311775: Release MediaWiki 1.35.8/1.37.5/1.38.3.Jun 30 2022, 9:02 PM

DannyS712 updated the task description. (Show Details)Jul 1 2022, 12:56 AM

Reedy renamed this task from Tracking bug for MediaWiki 1.35.8/1.37.4/1.38.3 to Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3.Jul 8 2022, 5:01 PM

Reedy updated the task description. (Show Details)

Zabe subscribed.Jul 13 2022, 9:00 PM

sbassett added a subtask: T309894: CVE-2022-41765: HTMLUserTextField exposes existence of hidden users.Jul 18 2022, 9:40 PM

sbassett added a subtask: T307278: CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name.Aug 23 2022, 3:39 PM

sbassett mentioned this in T307278: CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name.Aug 23 2022, 4:06 PM

Reedy added a subtask: T316304: CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions.Sep 25 2022, 6:40 PM

Reedy changed the status of subtask T316304: CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions from Open to In Progress.

Reedy changed the task status from Open to In Progress.Sep 25 2022, 6:43 PM

Reedy updated the task description. (Show Details)Sep 25 2022, 7:04 PM

Reedy updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Sep 25 2022, 7:09 PM

Reedy updated the task description. (Show Details)Sep 25 2022, 7:18 PM

Reedy updated the task description. (Show Details)

Reedy attached a referenced file: F35485641: 02-T307278.patch. (Show Details)

Reedy attached a referenced file: F35490459: 0001-SECURITY-reassignEdits-Delete-rows-from-ip_changes.patch. (Show Details)

Legoktm updated the task description. (Show Details)Sep 29 2022, 12:56 AM

Reedy updated the task description. (Show Details)Sep 29 2022, 5:28 PM

Reedy closed subtask T307278: CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name as Resolved.Sep 29 2022, 5:38 PM

Reedy closed subtask T316304: CVE-2022-41767: reassignEdits doesn't update results in an IP range check on Special:Contributions as Resolved.

Reedy closed subtask T309894: CVE-2022-41765: HTMLUserTextField exposes existence of hidden users as Resolved.Sep 29 2022, 5:55 PM

Reedy closed this task as Resolved.Sep 29 2022, 9:16 PM

Reedy claimed this task.

Reedy attached a referenced file: F35538605: T307278-master.patch. (Show Details)

Reedy attached a referenced file: F35538604: T307278-REL1_38.patch. (Show Details)

Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Nov 1 2022, 6:06 PM

Reedy changed the edit policy from "acl*security (Project)" to "All Users".