Page MenuHomePhabricator
Create Task
Maniphest T348679

MW 1.39.5: Update Wikibase & EntitySchema
Closed, ResolvedPublic
Actions

Description

Supplementary security updates were released to the MediaWiki 1.39.5 security update recently. As far as I can see Wikibase and EntitySchema are the only extensions that we include from this list.

With the security/maintenance release of MediaWiki 1.35.12/1.39.5/1.40.1,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

EntitySchema
+ (T339016, CVE-2023-45368) - EntitySchema edits don't run through
AbuseFilter
https://gerrit.wikimedia.org/r/q/Id71ece831c929fadb1710634de9a7be5f02e0b0e

Wikibase
+ (T333980, CVE-2023-45366) - FederatedPropertiesError shows label as
unescaped HTML
https://gerrit.wikimedia.org/r/q/I76b953be86d6465ee7355c0a189c68cf20457786

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/2DJ5FTR5UVXLYROAH4ZVYZBYOPLXYQZT/

ACs:

  • Wikibase extension is updated in wikibase.clouds mediawiki repo
  • ... EntitySchema extension is updated
  • a new release including above updates is deployed to staging
  • ... deployed to production

Patches

Event Timeline

Deniz_WMDE created this task.Oct 11 2023, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2023, 6:23 PM
Andrew-WMDE claimed this task.Oct 26 2023, 8:39 AM
Andrew-WMDE moved this task from To do to Doing on the Wikibase Cloud (Kanban board Q4 2023) board.
Andrew-WMDE updated the task description. (Show Details)Oct 27 2023, 10:31 AM
Andrew-WMDE moved this task from Doing to In Review on the Wikibase Cloud (Kanban board Q4 2023) board.Oct 27 2023, 10:37 AM
Andrew-WMDE removed Andrew-WMDE as the assignee of this task.Oct 30 2023, 8:53 AM
Andrew-WMDE subscribed.
Tarrow moved this task from In Review to Waiting for Deploy to Staging on the Wikibase Cloud (Kanban board Q4 2023) board.Oct 31 2023, 9:06 AM
Andrew-WMDE claimed this task.Oct 31 2023, 9:21 AM
Andrew-WMDE moved this task from Waiting for Deploy to Staging to Waiting for Deploy to Production on the Wikibase Cloud (Kanban board Q4 2023) board.Oct 31 2023, 10:47 AM
Andrew-WMDE removed Andrew-WMDE as the assignee of this task.Oct 31 2023, 12:00 PM
Andrew-WMDE updated the task description. (Show Details)
Andrew-WMDE moved this task from Waiting for Deploy to Production to Done on the Wikibase Cloud (Kanban board Q4 2023) board.
Evelien_WMDE closed this task as Resolved.Nov 13 2023, 9:33 AM
Evelien_WMDE claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL