This task has a different edit policy than the others in the security release tree - I had to subscribe first to be able to edit it. Is that intentional?

In T311785#8042877, @DannyS712 wrote:

This task has a different edit policy than the others in the security release tree -I had to subscribe first to be able to edit it. Is that intentional?

You were involved in CR-ing https://gerrit.wikimedia.org/r/c/mediawiki/tools/release/+/787110 for T307036: Update visibility and edit policies for the creation of "Write and send supplementary release..." tasks...

It does sound to be working as coded, but whether that's the actual intended outcome, I'm not sure.

I don't know how well the API handles (or doesn't handle) advanced/complex edit/view rules, so whether it just made more sense than having it the same as the view policy?

In T311785#8042886, @Reedy wrote:

It does sound to be working as coded, but whether that's the actual intended outcome, I'm not sure.

Per the aforementioned patch, this is indeed very intentional. The idea is that we want to encourage more technical volunteers to be involved with the supplemental release and not all of those individuals will have full Phabricator security access (hello, @RhinosF1). And that given certain view/edit policy oddities within Phabricator, a subscribers-only edit policy seemed to be the sanest default for now.

I don't know how well the API handles (or doesn't handle) advanced/complex edit/view rules, so whether it just made more sense than having it the same as the view policy?

In the past, we've seen the "subscribe a user to a task to give them view/edit rights" method not work for various reasons, so yes, this seemed to be the best default for what we want to do, unless someone else can offer a better approach.

Proposed release date: sometime just after Labor Day (September 5th)

In T311785#8181949, @sbassett wrote:

Proposed release date: sometime just after Labor Day (September 5th)

Shouldn't it probably be towards the end of the month, not the start?

In T311785#8182351, @Reedy wrote:

In T311785#8181949, @sbassett wrote:

Proposed release date: sometime just after Labor Day (September 5th)

Shouldn't it probably be towards the end of the month, not the start?

That's often the plan, yes, though in practice it has definitely been released a few days or a week after the end of a quarter. I suggested it this time to accommodate @RhinosF1 potentially helping out with some parts of it.

Patch Status:

I'm going to request the CVEs today so there's more than enough time before they are allocated.

In T311785#8193429, @RhinosF1 wrote:

I'm going to request the CVEs today so there's more than enough time before they are allocated.

Request 1320564

Just a note: the CheckUser patch hasn't been deployed to WMF production yet. It likely can be over the next week or two, and then it should be fine to release. If, for some reason, that doesn't happen by September 30th, we'd likely want to wait for the next supplemental release.

Also - I have no idea what I was thinking in T311785#8181949. The end of this quarter isn't until September 30th, which is when this release should happen. We can do prep work for it and request CVEs and even open up bugs, but the actual release announcement should wait until around September 30th.

All CVEs allocated. Will update tommorow

@Mstyles: not sure if it's a copy paste error but are you sure page triage is missing a 1.35 branch? Happy to do the CVE side if access is granted to the ticket.

In T311785#8230686, @RhinosF1 wrote:

@Mstyles: not sure if it's a copy paste error but are you sure page triage is missing a 1.35 branch? Happy to do the CVE side if access is granted to the ticket.

Yep, it exists. Probably just a simple copypasta error. I'll add the default no for now.

@mmartorana and I did some planning today:

1. Confirmed that @RhinosF1 has requested CVEs for all of the remaining tasks above. The 7 tasks/issues mentioned above will be included in this supplemental security release. Anything else will now be included in next quarter's release.
2. We've divided up backports, task updates, etc. as follows (yes, some tasks already have backports and have been updated - these assignments are just to confirm that and then work on the ones that still need them):
   1. @mmartorana - first three - T308861, T313205 (this one is pretty much done)
   2. @sbassett - next two - T310763, T314245
   3. @Mstyles - last two - T312820, T302479
3. I'll post a draft announcement below this comment. Never mind, we can use the (incomplete) draft from above: T311785#8183356.
4. We plan to email this release out on Tuesday, October 4th, 2022.

OAuth

+ (T308861, CVE-2022-39191) - OAuth debug log includes consumer secrets
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/817860

GrowthExperiments

+ (T313205, CVE-2022-39194) - Growth's Community configuration makes it possible for rogue admin to take down a site
https://gerrit.wikimedia.org/r/825454

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.8/1.37.5/1.38.3)

Greetings-

With the security/maintenance release of MediaWiki 1.35.8/1.37.5/1.38.3, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

OAuth

+ (T308861, CVE-2022-39191) - OAuth debug log includes consumer secrets
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/839460/

GrowthExperiments

+ (T313205, CVE-2022-39194) - Growth's Community configuration makes it possible for rogue admin to take down a site
https://gerrit.wikimedia.org/r/q/I9b3766a71ee403b3a72c8af995e70c3017abe12e

IPInfo

+ (T310763, CVE-2022-39192) - IP Info tool shows whether an IP is autoblocked, potentially allowing unmasking of users by correlation
https://gerrit.wikimedia.org/r/q/Ib1fdac6b2db70fc33f6d9e9f3e9108b6d65961b4

PageTriage

+ (T314245, CVE-2022-41344) - Someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction
https://gerrit.wikimedia.org/r/q/I9a3c9dafc634c59d7dbf1d6d62da389046a0e22e

OAuth

+ (T312820, CVE-2022-41346) - Special:OAuth/rest_redirect does unrestricted redirects
https://gerrit.wikimedia.org/r/q/I789fb7384d89fbf42df22dc7b1953fb9087d95b1

Translate

+ (T302479, CVE-2022-41345) - Blocked users with "translation administrator" right are able to mark pages for translation
https://gerrit.wikimedia.org/r/q/Ic206021

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://w.wiki/5nN3
[1] https://phabricator.wikimedia.org/T311785
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

+1 to the email

Supplemental announcement is out!

• mediawiki-announce
• wikitech-I
• mediawiki-I