⚓ T325849 Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3)

Maniphest ID	Extension or Skin	CVE ID	REL1_35	REL1_38	REL1_39	REL1_40	master
T326293	CheckUser	CVE-2023-29139	N/A	N/A	N/A	N/A	Yes
T327613	GrowthExperiments	CVE-2023-29140	N/A	N/A	N/A	N/A	Yes
T278365	CheckUser	CVE-2023-29138	Yes	Yes	Yes	Yes	Yes
T326907	PdfBook	CVE-2023-24612	N/A	N/A	N/A	N/A	Yes
T328643	GrowthExperiments	CVE-2023-29137	N/A	N/A	N/A	N/A	Yes, Yes
T330406	Widgets	CVE-2023-28447	Yes	N/A	Yes, Yes	N/A	Yes, Yes
T331321	Cargo	CVE-2023-29133	N/A	N/A	N/A	N/A	Yes
T331192	CheckUser	CVE-2023-29135	N/A	Yes	Yes	Yes	Yes

		Status	Subtype	Assigned	Task
		Resolved		Reedy	T325839 Release MediaWiki 1.35.10/1.38.6/1.39.3
		Resolved		None	T325849 Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3)

Reedy added projects: Security, MediaWiki-Releasing.Dec 22 2022, 10:13 PM

Reedy subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 22 2022, 10:13 PM

Reedy added a parent task: T325839: Release MediaWiki 1.35.10/1.38.6/1.39.3.Dec 22 2022, 10:13 PM

DannyS712 updated the task description. (Show Details)Dec 23 2022, 1:32 AM

DannyS712 subscribed.

DannyS712 unsubscribed.

Reedy added a subscriber: sbassett.Jan 5 2023, 2:57 PM

sbassett added a project: user-sbassett.Jan 5 2023, 5:19 PM

sbassett mentioned this in T326293: CVE-2023-29139: API request timeout - CheckUserLog.

sbassett added subscribers: Mstyles, mmartorana.

sbassett changed the task status from Open to In Progress.Jan 5 2023, 5:22 PM

sbassett triaged this task as Medium priority.

sbassett updated the task description. (Show Details)

Zabe subscribed.Jan 9 2023, 10:11 PM

Mstyles updated the task description. (Show Details)Jan 10 2023, 6:08 PM

Mstyles updated the task description. (Show Details)Jan 11 2023, 6:09 PM

sbassett moved this task from Backlog to In Progress on the user-sbassett board.Jan 12 2023, 8:20 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Jan 12 2023, 8:45 PM

sbassett updated the task description. (Show Details)Jan 23 2023, 6:11 PM

sbassett updated the task description. (Show Details)Jan 23 2023, 6:14 PM

sbassett mentioned this in T327613: CVE-2023-29140: GrowthExperiments new impact module shows revdeleted edits.

Mstyles updated the task description. (Show Details)Jan 30 2023, 5:16 PM

sbassett updated the task description. (Show Details)Jan 30 2023, 8:38 PM

sbassett updated the task description. (Show Details)Feb 10 2023, 5:06 PM

Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.2) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Feb 21 2023, 4:07 PM

sbassett updated the task description. (Show Details)Feb 23 2023, 7:02 PM

sbassett mentioned this in T330406: CVE-2023-28447: Make a security release of Extension:Widgets due to Smarty RCE vulns.Feb 23 2023, 7:04 PM

sbassett updated the task description. (Show Details)Mar 8 2023, 6:04 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Mar 8 2023, 6:09 PM

sbassett added a subscriber: Bawolff.

sbassett updated the task description. (Show Details)Mar 8 2023, 6:11 PM

sbassett updated the task description. (Show Details)

sbassett updated the task description. (Show Details)Mar 8 2023, 11:22 PM

sbassett updated the task description. (Show Details)Mar 16 2023, 2:40 PM

sbassett updated the task description. (Show Details)Mar 27 2023, 3:07 PM

sbassett updated the task description. (Show Details)

Assigned CVE and backport duties for this report:

@mmartorana
T326293 - CheckUser
T327613 - GrowthExperiments
T278365 - CheckUser
T326907 - PdfBook
T328643 - GrowthExperiments

@Mstyles
T330406 - Widgets
T331321 - Cargo
T331352 - Cargo (not fixed?)
T331362 - Cargo
T331192 - CheckUser

sbassett mentioned this in T333569: CVE-2023-37255: Special:CheckUser 'get edits' is vulnerable to HTML injection through user agent string.Mar 30 2023, 5:49 PM

mmartorana updated the task description. (Show Details)Apr 3 2023, 3:15 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.10/1.38.6/1.39.3)

Greetings-

With the security/maintenance release of MediaWiki 1.35.10/1.38.6/1.39.3, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T326293, CVE-2023-29139) - API request timeout - CheckUserLog.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/877267/

GrowthExperiments
+ (T327613, CVE-2023-29140) - GrowthExperiments new impact module shows revdeleted edits.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/885042/

CheckUser
+ (T278365, CVE-2023-29138) - Using checkuser api module with bad user name can still break Special:CheckUserLog even after security fixes.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905649

PdfBook
+ (T326907, CVE-2023-24612) - Command injection in the PdfBook extension.
https://gitlab.com/organicdesign/PdfBook/-/merge_requests/6

GrowthExperiments
+ (T328643, CVE-2023-29137) - GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/889295/
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/889296/

Widgets
+ (T330406, CVE-2023-28447) - Make a security release of Extension:Widgets due to Smarty RCE vulns.
https://gerrit.wikimedia.org/r/891977
https://gerrit.wikimedia.org/r/892451

Cargo
+ (T331321, CVE-2023-29133) - XSS in Searchtext formatter in Cargo.
https://gerrit.wikimedia.org/r/895193

CheckUser
+ (T331192, CVE-2023-29135) - CheckUser 'get users' form vulnerable to HTML injection through usernames.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/904920/

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T325849
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles updated the task description. (Show Details)Apr 4 2023, 4:20 AM

DannyS712 mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 3:35 PM

mmartorana updated the task description. (Show Details)Apr 4 2023, 4:48 PM

Mstyles updated the task description. (Show Details)Apr 4 2023, 5:00 PM

Mstyles updated the task description. (Show Details)Apr 4 2023, 5:04 PM

mmartorana updated the task description. (Show Details)Apr 4 2023, 5:09 PM

sbassett closed this task as Resolved.Apr 4 2023, 7:44 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Subscribers" to "All Users".

sbassett moved this task from In Progress to Done on the user-sbassett board.

sbassett updated the task description. (Show Details)Apr 4 2023, 7:50 PM