Page MenuHomePhabricator

MW 1.39.5: Update Wikibase & EntitySchema
Closed, ResolvedPublic

Description

Supplementary security updates were released to the MediaWiki 1.39.5 security update recently. As far as I can see Wikibase and EntitySchema are the only extensions that we include from this list.

With the security/maintenance release of MediaWiki 1.35.12/1.39.5/1.40.1,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

EntitySchema
+ (T339016, CVE-2023-45368) - EntitySchema edits don't run through
AbuseFilter
https://gerrit.wikimedia.org/r/q/Id71ece831c929fadb1710634de9a7be5f02e0b0e

Wikibase
+ (T333980, CVE-2023-45366) - FederatedPropertiesError shows label as
unescaped HTML
https://gerrit.wikimedia.org/r/q/I76b953be86d6465ee7355c0a189c68cf20457786

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2DJ5FTR5UVXLYROAH4ZVYZBYOPLXYQZT/

ACs:

  • Wikibase extension is updated in wikibase.clouds mediawiki repo
  • ... EntitySchema extension is updated
  • a new release including above updates is deployed to staging
  • ... deployed to production

Patches

Event Timeline

Evelien_WMDE claimed this task.