Page MenuHomePhabricator
Create Task
Maniphest T340874

Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0)

Maniphest IDExtension or SkinCVE IDREL1_35REL1_39REL1_40master/main
T339016EntitySchemaCVE-2023-45368NoYesYesYes
T339260WikibaseCVE-2023-45366YesYesYesYes
T340200CitoidCVE-2023-45365YesYesYesYes
T344923CheckUserCVE-2023-45367N/AN/AN/AYes
T345040SportsTeamsCVE-2023-45374NoNoNoYes
T345064WikibaseCVE-2023-45371NoNoNoYes
T345693ProofreadPageCVE-2023-45373NoNoNoYes
T344359PageTriageCVE-2023-45369NoNoNoYes
T345680SportsTeamsCVE-2023-45370NoNoNoYes

Template

TxxxxxxExtNameCVE-2023-xxxxxNoNoNoNo

Notes

  1. T343294 was a temporary patch
  2. The previous CU issues under CVE-2022-39193 now have the log events fix broken out into separate tasks per T318166#8521334:
    1. T326865: Special:CheckUser can expose suppressed information for log events
    2. T326866: Special:Investigate can expose suppressed information for log events
    3. T326867: CheckUser API can expose suppressed information for log events
  3. {T312733} seems unmaintained at this point.
  4. {T331352} had its first patch reverted, needs a new one to be included within any forthcoming release.

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Jun 30 2023, 4:49 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2023, 4:49 PM
Reedy added a parent task: T340864: Release MediaWiki 1.35.12/1.39.5/1.40.1.Jun 30 2023, 4:49 PM
sbassett added a project: user-sbassett.Jul 5 2023, 8:29 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added subscribers: Mstyles, mmartorana.
sbassett subscribed.
sbassett changed the task status from Open to In Progress.Jul 6 2023, 3:27 PM
sbassett assigned this task to Mstyles.
sbassett triaged this task as Medium priority.
sbassett added a project: SecTeam-Processed.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 6 2023, 3:30 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 6 2023, 3:32 PM
sbassett added a subscriber: Bawolff.
sbassett updated the task description. (Show Details)Jul 10 2023, 4:25 PM
sbassett updated the task description. (Show Details)Jul 10 2023, 9:00 PM
sbassett updated the task description. (Show Details)
Mstyles updated the task description. (Show Details)Jul 10 2023, 10:23 PM
sbassett updated the task description. (Show Details)Jul 12 2023, 10:26 PM
sbassett added a subscriber: Jdlrobson.
sbassett updated the task description. (Show Details)Jul 13 2023, 6:22 PM
sbassett updated the task description. (Show Details)Aug 25 2023, 4:48 PM
sbassett mentioned this in T344923: CVE-2023-45367: User can store arbitrary number of rows in cu_useragent_clienthints.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Aug 28 2023, 2:47 PM
sbassett mentioned this in T345040: CVE-2023-45374: SportsTeams: no anti-CSRF check in Special:SportsTeamsManager and Special:UpdateFavoriteTeams.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Sep 1 2023, 9:19 PM
sbassett updated the task description. (Show Details)Sep 11 2023, 9:16 PM
sbassett mentioned this in T345693: CVE-2023-45373: ProofreadPage Security-XSS errors in CI.Sep 11 2023, 9:20 PM
Mstyles updated the task description. (Show Details)Sep 18 2023, 9:29 PM
sbassett updated the task description. (Show Details)Sep 21 2023, 5:01 PM
sbassett updated the task description. (Show Details)
mmartorana added a comment.Sep 25 2023, 3:39 PM

Assigned CVE and backport duties for this report:

@mmartorana
T339016 - EntitySchema
T339260 - Wikibase
T340200 - Citoid
T344923 - CheckUser
@Mstyles
T345040 - SportsTeams
T345064 - Wikibase
T345693 - ProofreadPage
T344359 - PageTriage
T345680 - SportsTeams
mmartorana updated the task description. (Show Details)Sep 27 2023, 3:43 PM
mmartorana updated the task description. (Show Details)Sep 27 2023, 4:06 PM
mmartorana updated the task description. (Show Details)
mmartorana updated the task description. (Show Details)Sep 28 2023, 4:01 PM
mmartorana updated the task description. (Show Details)Sep 28 2023, 5:11 PM
mmartorana updated the task description. (Show Details)Sep 29 2023, 2:50 PM
mmartorana updated the task description. (Show Details)Sep 29 2023, 3:05 PM
mmartorana updated the task description. (Show Details)Sep 29 2023, 3:09 PM
mmartorana updated the task description. (Show Details)Sep 29 2023, 3:12 PM
mmartorana updated the task description. (Show Details)
mmartorana updated the task description. (Show Details)Sep 29 2023, 4:45 PM
mmartorana updated the task description. (Show Details)Oct 2 2023, 9:56 AM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:30 PM
sbassett removed a project: user-sbassett.
mmartorana updated the task description. (Show Details)Oct 5 2023, 5:59 PM
mmartorana updated the task description. (Show Details)Oct 9 2023, 7:56 AM
Mstyles updated the task description. (Show Details)Oct 10 2023, 4:02 PM
mmartorana updated the task description. (Show Details)Oct 10 2023, 4:18 PM
sbassett mentioned this in T340200: CVE-2023-45365: i18n XSS in Citoid Wikibase module.Oct 10 2023, 4:28 PM
Mstyles added a comment.Oct 10 2023, 4:58 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.12/1.39.5/1.40.1)

Greetings-

With the security/maintenance release of MediaWiki 1.35.12/1.39.5/1.40.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

EntitySchema
+ (T339016, CVE-2023-45368) - EntitySchema edits don't run through AbuseFilter
https://gerrit.wikimedia.org/r/q/Id71ece831c929fadb1710634de9a7be5f02e0b0e

Wikibase
+ (T333980, CVE-2023-45366) - FederatedPropertiesError shows label as unescaped HTML
https://gerrit.wikimedia.org/r/q/I76b953be86d6465ee7355c0a189c68cf20457786

Citoid
+ (T340200, CVE-2023-45365) - i18n XSS in Citoid Wikibase module
https://gerrit.wikimedia.org/r/q/I570e00e45f8a36fbf2b26db9610fa0a702a28f67

CheckUser
+ (T344923, CVE-2023-45367) - User can store arbitrary number of rows in cu_useragent_clienthints
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/952482/

SportsTeams
+ (T345040, CVE-2023-45374) - SportsTeams: no anti-CSRF check in Special:SportsTeamsManager and Special:UpdateFavoriteTeams
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/952552

Wikibase
+ (T345064, CVE-2023-45371) - Merging items is not rate limited and only partially protected by AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/961264/

ProofreadPage
+ (T345693, CVE-2023-45373) - ProofreadPage Security-XSS errors in CI
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/961262/

PageTriage
+ (T344359, CVE-2023-45369) - pagetriagelist API leaks suppressed usernames
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/960676/

SportsTeam
+ (T345680, CVE-2023-45370) - SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo should check for the "sportsteamsmanager" user right
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/959699/

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T340874
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles closed this task as Resolved.Oct 10 2023, 5:37 PM

Supplemental announcement is out!

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 10 2023, 6:29 PM
sbassett changed the edit policy from "Subscribers" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL