Page MenuHomePhabricator
Create Task
Maniphest T318974

Write and send supplementary release announcement for extensions and skins with security patches (1.35.9/1.38.4/1.39.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T311785: Write and send supplementary release announcement for extensions and skins with security patches (1.35.8/1.37.5/1.38.3)

Maniphest IDExtension or SkinCVE IDREL1_35REL1_37REL1_38REL1_39master
T311337CheckUserCVE-2022-39193YesEOLYesYesYes
T316414CheckUserCVE-2022-39193NoEOLNoNoYes
T318166CheckUserCVE-2022-39193YesEOLYesYesYes
T321733GrowthExperimentsCVE-2023-22945NoNoNoYesYes
T315123CheckUserCVE-2023-22912YesEOLYesYesYes
T320987MobileFrontendCVE-2023-22909NoNoNoNoYes
T149488WidgetsCVE-2023-22911NoNoNoYesYes
T323592WikibaseCVE-2023-22910YesNoYesYesYes

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 29 2022, 7:10 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2022, 7:10 PM
Reedy added a parent task: Restricted Task.Sep 29 2022, 7:10 PM
Reedy changed the visibility from "Custom Policy" to "Custom Policy".Oct 5 2022, 4:16 PM
Reedy changed the edit policy from "Subscribers" to "Custom Policy".
Reedy added a subscriber: sbassett.
sbassett changed the task status from Open to In Progress.Oct 5 2022, 4:21 PM
sbassett triaged this task as Low priority.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
sbassett added a project: user-sbassett.
sbassett added subscribers: RhinosF1, mmartorana, Mstyles.
sbassett updated the task description. (Show Details)Oct 6 2022, 4:28 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.Nov 1 2022, 6:48 PM
Mstyles updated the task description. (Show Details)Nov 1 2022, 6:50 PM
Mstyles updated the task description. (Show Details)Nov 7 2022, 11:12 PM
sbassett updated the task description. (Show Details)Nov 15 2022, 4:41 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T320987: CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries.Nov 15 2022, 4:45 PM
sbassett updated the task description. (Show Details)Nov 15 2022, 6:51 PM
sbassett updated the task description. (Show Details)Nov 16 2022, 10:50 PM
sbassett updated the task description. (Show Details)Dec 5 2022, 5:10 PM
DannyS712 mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Dec 23 2022, 1:33 AM
Zabe subscribed.Jan 9 2023, 10:12 PM
Mstyles updated the task description. (Show Details)Jan 10 2023, 1:36 AM
mmartorana updated the task description. (Show Details)Jan 10 2023, 10:19 AM
Mstyles updated the task description. (Show Details)Jan 10 2023, 6:08 PM
Mstyles updated the task description. (Show Details)Jan 11 2023, 6:09 PM
Mstyles updated the task description. (Show Details)
Mstyles updated the task description. (Show Details)Jan 12 2023, 3:05 AM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)Jan 12 2023, 12:43 PM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)Jan 12 2023, 3:43 PM
Mstyles updated the task description. (Show Details)Jan 12 2023, 5:50 PM
mmartorana added a comment.EditedJan 12 2023, 6:15 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.9/1.38.4/1.39.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.9/1.38.4/1.39.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser

+ (T311337, CVE-2022-39193) - Edits with the performer suppressed still show the performer in results from the CheckUser extension
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/879167/

CheckUser

+ (T316414, CVE-2022-39193) - Special:Investigate can expose supressed information in check results
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/879166/

CheckUser

+ (T318166, CVE-2022-39193) - CheckUser API can expose the suppressed performer
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/879073/

GrowthExperiments

+ (T321733, CVE-2023-22945) - Action=growthmanagementorlist makes it possible for blocked users to enroll as mentors
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/857629/

CheckUser

+ (T315123, CVE-2023-22912) - CheckUser TokenManager insecurely uses AES-CTR encryption with repeated nonce, allowing an adversary to decrypt
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/879074/

MobileFrontend

+ (T320987, CVE-2023-22909) - Mobile frontend's history makes really slow db queries
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/857762/

Widgets

+ (T149488, CVE-2023-22911) - Widgets does widget replacement in html attributes potentially leading to XSS
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Widgets/+/856035/

Wikibase

+ (T323592, CVE-2023-22910) - XSS in Wikibase date formatting
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/879171/

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T318974
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana added a comment.EditedJan 12 2023, 7:12 PM

Supplemental announcement is out!

mmartorana closed this task as Resolved.Jan 12 2023, 7:13 PM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 12 2023, 7:33 PM
mmartorana changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from In Progress to Done on the user-sbassett board.Jan 12 2023, 8:18 PM
sbassett mentioned this in T318166: CVE-2022-39193: CheckUser API can expose the suppressed performer.
sbassett updated the task description. (Show Details)
Zabe updated the task description. (Show Details)Jan 12 2023, 8:23 PM
sbassett updated the task description. (Show Details)Jan 12 2023, 8:42 PM
Peculiar_Investor subscribed.EditedJan 12 2023, 10:41 PM

Future improvement opportunity:

It would have been nice if the cross-reference table in the Description section was including in the announcement email so wiki sysops could easily determine which branches of each extension contained the merged fixes.

sbassett added a comment.Jan 12 2023, 11:06 PM
In T318974#8522057, @Peculiar_Investor wrote:

Future improvement opportunity:

It would have been nice if the cross-reference table in the Description section was including in the announcement email so wiki sysops could easily determine which branches of each extension contained the merged fixes.

Thanks for the suggestion. We could probably create some kind of plain text version of the table above for the email notifications. Perhaps we can experiment with that for the next supplemental security release.

AdamMillerchip subscribed.EditedJan 13 2023, 12:22 AM

Hello! As a wiki administrator, how do I ensure I've updated to the patched version?

For example, downloading MobileFrontend for MediaWiki v 1.39 via the downloader gives me MobileFrontend 2.4.0 - does this include the fix?

edit: Sorry, have read the discussion above. Seems the answer is no, we have to use master.

Reedy added a comment.Jan 13 2023, 12:22 PM
In T318974#8522311, @AdamMillerchip wrote:

Hello! As a wiki administrator, how do I ensure I've updated to the patched version?

For example, downloading MobileFrontend for MediaWiki v 1.39 via the downloader gives me MobileFrontend 2.4.0 - does this include the fix?

edit: Sorry, have read the discussion above. Seems the answer is no, we have to use master.

Well, no, you don't have to use master, and generally would be ill-advised with a release branch.

I would agree that I'm also a little confused on that one:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22909

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

But the patch was not backported to any release branches.

The question would be more suited to be asked on T320987: CVE-2023-22909: [Unplanned, S] Mobile frontend's history makes really slow db queries, though.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits