Page MenuHomePhabricator

Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)
Closed, ResolvedPublic

Event Timeline

sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added subscribers: mmartorana, Mstyles.
sbassett subscribed.
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
RhinosF1 updated the task description. (Show Details)

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

Thanks.

sbassett updated the task description. (Show Details)

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

Thanks.

I added the ManageWiki one too.

I added the ManageWiki one too.

Thanks. @Mstyles - we should plan to include these with the upcoming release, and I don't think we need to worry about any release-branch backports for them.

I added the ManageWiki one too.

Thanks. @Mstyles - we should plan to include these with the upcoming release, and I don't think we need to worry about any release-branch backports for them.

Nope, neither extension uses the REL branches. Only thing left to do is add them to the announcement.

Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.39.6/1.40.2/1.41.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1).Mar 26 2024, 2:50 PM

Still waiting on the CVEs for these...

...and still waiting for the CVEs, I believe.

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)

Greetings-

There was a delay in CVE assignment due to a backlog with Mitre. With the security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T355434, CVE-2024-34505) - Temporary account IP reveal does not check the deleted status
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/

CheckUser
+ (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f

ReportIncident
+ (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e

IPInfo
+ (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF attacks
https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e

WikiDiscover
+ (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on Special:WikiDiscover
https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f

UnlinkedWikibase
+ (T357203, CVE-2024-34500) - XSS through interface message in UnlinkedWikibase
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175

WikibaseLexeme
+ (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET requests without edit tokens
https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d

Cargo
+ (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes inside backticks
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478

ManageWiki
+ (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

CreateWiki
+ (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

[1] https://phabricator.wikimedia.org/T353904
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles moved this task from In Progress to Done on the user-sbassett board.

Supplemental announcement is out!

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".May 6 2024, 10:01 AM
Mstyles changed the edit policy from "Subscribers" to "All Users".