Supplementary security updates were released to the MediaWiki 1.39.5 security update recently. As far as I can see Wikibase and EntitySchema are the only extensions that we include from this list.
With the security/maintenance release of MediaWiki 1.35.12/1.39.5/1.40.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: EntitySchema + (T339016, CVE-2023-45368) - EntitySchema edits don't run through AbuseFilter https://gerrit.wikimedia.org/r/q/Id71ece831c929fadb1710634de9a7be5f02e0b0e Wikibase + (T333980, CVE-2023-45366) - FederatedPropertiesError shows label as unescaped HTML https://gerrit.wikimedia.org/r/q/I76b953be86d6465ee7355c0a189c68cf20457786
ACs:
- Wikibase extension is updated in wikibase.clouds mediawiki repo
- ... EntitySchema extension is updated
- a new release including above updates is deployed to staging
- ... deployed to production
Patches