Page MenuHomePhabricator
Create Task
Maniphest T347659

Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0)
Closed, ResolvedPublic
Actions

Description

Previous work: T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1)

Maniphest IDExtension or SkinCVE IDREL1_35REL1_39REL1_40REL1_41master
T347704PageTriageCVE-2024-23174N/AN/AN/AN/AYes
T348687CargoCVE-2024-23173N/AN/AN/AN/AYes
T348343CampaignToolsCVE-2024-23171N/AN/AN/AN/AYes
T347708CheckUserCVE-2024-23172N/AYesYesYesYes
T347742MassMessageCVE-2024-23176N/AYes (Fixed in gerrit)Yes, FixYes, FixYes, Fix
T347746GlobalBlockingCVE-2024-23179N/AYes , YesYes , YesYesYes , Yes
T348979WatchAnalyticsCVE-2024-23177N/AN/AN/AYesYes
T349312PhonosCVE-2024-23178N/AN/AYesYesYes
T353138FlexDiagramsCVE-2024-23175N/AN/AYesYesYes

Notes

  1. T347742 (MassMessage) has a follow-up fix patch as the original security patch was a bit buggy.
  2. T347744 (SecurePoll) was fixed publicly, and so not officially included within this release.

Details

Due Date
Dec 29 2023, 6:00 AM

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 29 2023, 2:30 AM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2023, 2:31 AM
Reedy added a parent task: T347649: Release MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0.Sep 29 2023, 2:31 AM
sbassett changed the task status from Open to In Progress.Oct 2 2023, 10:29 PM
sbassett triaged this task as Medium priority.
sbassett added a project: SecTeam-Processed.
sbassett updated the task description. (Show Details)
sbassett added subscribers: Mstyles, mmartorana, RhinosF1, Bawolff.
sbassett subscribed.
Mstyles updated the task description. (Show Details)Oct 2 2023, 10:31 PM
sbassett updated the task description. (Show Details)Oct 2 2023, 10:31 PM
sbassett updated the task description. (Show Details)Oct 2 2023, 10:35 PM
Mstyles updated the task description. (Show Details)Oct 2 2023, 10:35 PM
sbassett updated the task description. (Show Details)Oct 2 2023, 10:36 PM
sbassett set Due Date to Dec 29 2023, 6:00 AM.
sbassett added a project: user-sbassett.Oct 12 2023, 2:59 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
Mstyles updated the task description. (Show Details)Oct 16 2023, 10:18 PM
Mstyles updated the task description. (Show Details)Oct 16 2023, 10:40 PM
sbassett updated the task description. (Show Details)Oct 17 2023, 3:40 PM
sbassett updated the task description. (Show Details)Oct 20 2023, 8:23 PM
sbassett mentioned this in T348343: CVE-2024-23171: Various i18n-based XSSs in Special:EventDetails.Nov 2 2023, 3:06 PM
sbassett updated the task description. (Show Details)Nov 6 2023, 4:52 PM
sbassett updated the task description. (Show Details)Nov 15 2023, 5:02 PM
sbassett updated the task description. (Show Details)Nov 22 2023, 5:06 PM
sbassett updated the task description. (Show Details)Dec 11 2023, 8:23 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Dec 18 2023, 3:34 PM
Reedy mentioned this in T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1).Dec 21 2023, 6:58 PM
mmartorana added a comment.Jan 8 2024, 5:47 PM

Assigned CVE and backport duties for this report:

@Mstyles
T347704 - PageTriage
T348687 - Cargo
T348343 - CampaignTools
T347708 - CheckUser
@mmartorana
T347742 - MassMessage
T347746 - GlobalBlocking
T348979 - WatchAnalytics
T349312 - Phonos
T353138 - FlexDiagrams
sbassett awarded a token.Jan 8 2024, 5:57 PM
sbassett added a subscriber: Dreamy_Jazz.Jan 8 2024, 8:34 PM

Just FYI - the patch for T347708 (CheckUser) has been updated: T347708#9443432. So that version should be used for this release.

sbassett mentioned this in T347708: CVE-2024-23172: Several not properly escaped messages in the CheckUser extension.Jan 8 2024, 8:35 PM
Mstyles updated the task description. (Show Details)Jan 10 2024, 12:35 AM
Mstyles updated the task description. (Show Details)Jan 16 2024, 6:49 PM
mmartorana updated the task description. (Show Details)Jan 17 2024, 3:21 PM
mmartorana updated the task description. (Show Details)
mmartorana updated the task description. (Show Details)Jan 17 2024, 3:35 PM
mmartorana updated the task description. (Show Details)Jan 17 2024, 3:40 PM
mmartorana updated the task description. (Show Details)Jan 17 2024, 3:43 PM
mmartorana claimed this task.Jan 17 2024, 4:09 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0)

Greetings-

With the security/maintenance release of MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

PageTriage
+ (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label PageTriage
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177

Cargo
+ (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/

CampaignTools
+ (T348343, CVE-2024-23171) - Various i18n-based XSSs in Special:EventDetails
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/971248/

CheckUser
+ (T347708, CVE-2024-23172) - Several not properly escaped messages in the CheckUser extension
https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250

MassMessage
+ (T347742, CVE-2024-23176) - MassMessage i18n key massmessage-form-page-help allows i18n-xss
https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c

GlobalBlocking
+ (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss via the parentheses message
https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf
https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276

WatchAnalytics
+ (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter
https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1

Phonos
+ (T349312, CVE-2024-23178) - XSS in Phonos via the phonos-purge-needed-error message
https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c

FlexDiagrams
+ (T353138, CVE-2024-23178) - FlexDiagrams XSS bug
https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T347659
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana updated the task description. (Show Details)Jan 17 2024, 4:10 PM
mmartorana updated the task description. (Show Details)Jan 17 2024, 5:20 PM
mmartorana closed this task as Resolved.EditedJan 17 2024, 5:33 PM

Supplemental announcement is out!

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 17 2024, 5:35 PM
mmartorana changed the edit policy from "Subscribers" to "All Users".
sbassett mentioned this in T347742: CVE-2024-23176: MassMessage i18n key massmessage-form-page-help allows i18n-xss.Jan 17 2024, 6:25 PM
mmartorana updated the task description. (Show Details)Jan 18 2024, 10:17 AM
sbassett updated the task description. (Show Details)Jan 18 2024, 3:52 PM
sbassett updated the task description. (Show Details)Jan 18 2024, 3:54 PM
sbassett updated the task description. (Show Details)Jan 18 2024, 3:57 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 18 2024, 3:59 PM
Mstyles updated the task description. (Show Details)Mar 22 2024, 8:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits