Page MenuHomePhabricator
Create Task
Maniphest T353904

Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0)

Maniphest IDExtension or SkinCVE IDREL1_39REL1_40REL1_41master
T355434CheckUserCVE-2024-34505N/AN/AN/AYes
T356226CheckUserCVE-2024-34501NoNoYesYes
T356190ReportIncidentCVE-2024-34503NoNoYesYes
T356183IPInfoCVE-2024-34504YesYesYesYes
GHSAWikiDiscoverCVE-2024-25107N/AN/AN/AYes
T357203UnlinkedWikibaseCVE-2024-34500N/AN/AN/AYes
T357101WikibaseLexemeCVE-2024-34502YesYesYesYes
T331362CargoCVE-2023-29134N/AN/AN/AYes
GHSAManageWikiCVE-2024-25109N/AN/AN/AYes (1, 2, 3)
GHSACreateWikiCVE-2024-29883N/AN/AN/AYes (1, 2, 3)

Template

TxxxxxxExtNameCVE-2024-xxxxxNoNoNoNo

Notes

  1. T347744 was fixed publicly, but could likely be re-announced for this release.
  2. T355073 is part of the bundled release.

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Dec 21 2023, 6:53 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 21 2023, 6:53 PM
Reedy added a parent task: T353894: Release MediaWiki 1.39.7/1.40.3/1.41.1.Dec 21 2023, 6:53 PM
Reedy updated the task description. (Show Details)Dec 21 2023, 6:58 PM
sbassett added a project: user-sbassett.Jan 16 2024, 10:40 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added subscribers: mmartorana, Mstyles.
sbassett subscribed.
sbassett updated the task description. (Show Details)Jan 16 2024, 10:42 PM
sbassett updated the task description. (Show Details)
sbassett mentioned this in T355434: CVE-2024-34505: Temporary account IP reveal does not check the deleted status of the performer before revealing the IP address associated with an edit/log event.Jan 24 2024, 6:59 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jan 31 2024, 10:18 PM
sbassett updated the task description. (Show Details)Feb 1 2024, 4:17 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 7 2024, 8:42 PM
sbassett updated the task description. (Show Details)Feb 7 2024, 8:48 PM
RhinosF1 subscribed.Feb 8 2024, 8:35 PM
RhinosF1 updated the task description. (Show Details)Feb 8 2024, 8:40 PM
Restricted Application added a project: affects-Miraheze. · View Herald TranscriptFeb 8 2024, 8:40 PM
RhinosF1 updated the task description. (Show Details)EditedFeb 8 2024, 8:40 PM
RhinosF1 updated the task description. (Show Details)

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

RhinosF1 updated the task description. (Show Details)Feb 8 2024, 8:42 PM
RhinosF1 updated the task description. (Show Details)Feb 9 2024, 6:49 AM
sbassett added a comment.Feb 9 2024, 4:47 PM
In T353904#9526984, @RhinosF1 wrote:

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

Thanks.

Mstyles updated the task description. (Show Details)Feb 12 2024, 5:58 PM
Mstyles updated the task description. (Show Details)Feb 12 2024, 10:44 PM
sbassett mentioned this in T357101: CVE-2024-34502: Special:MergeLexemes makes edits on GET requests without edit tokens.Feb 13 2024, 4:16 PM
Lucas_Werkmeister_WMDE mentioned this in T356764: Merging lexemes is only partially rate limited and protected by AbuseFilter.Feb 15 2024, 3:18 PM
sbassett updated the task description. (Show Details)Feb 26 2024, 4:27 PM
sbassett updated the task description. (Show Details)
RhinosF1 updated the task description. (Show Details)Mar 19 2024, 1:31 PM
In T353904#9529744, @sbassett wrote:
In T353904#9526984, @RhinosF1 wrote:

I've added https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f to the tracker listing the GSHA as there's no task for it on Wikimedia. WikiTide have requested the CVE.

Thanks.

I added the ManageWiki one too.

sbassett added a comment.Mar 19 2024, 2:39 PM
In T353904#9641879, @RhinosF1 wrote:

I added the ManageWiki one too.

Thanks. @Mstyles - we should plan to include these with the upcoming release, and I don't think we need to worry about any release-branch backports for them.

RhinosF1 added a comment.Mar 19 2024, 2:41 PM
In T353904#9642344, @sbassett wrote:
In T353904#9641879, @RhinosF1 wrote:

I added the ManageWiki one too.

Thanks. @Mstyles - we should plan to include these with the upcoming release, and I don't think we need to worry about any release-branch backports for them.

Nope, neither extension uses the REL branches. Only thing left to do is add them to the announcement.

Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.39.6/1.40.2/1.41.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1).Mar 26 2024, 2:50 PM
RhinosF1 updated the task description. (Show Details)Mar 26 2024, 4:08 PM
Reedy mentioned this in T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0).Mar 28 2024, 11:09 PM
Mstyles claimed this task.Mar 29 2024, 12:27 AM
sbassett added a comment.Apr 2 2024, 5:47 PM

Still waiting on the CVEs for these...

sbassett updated the task description. (Show Details)Apr 9 2024, 6:04 PM
sbassett added a comment.Apr 29 2024, 2:52 PM

...and still waiting for the CVEs, I believe.

Mstyles updated the task description. (Show Details)May 6 2024, 9:13 AM
Mstyles added a comment.May 6 2024, 9:53 AM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)

Greetings-

There was a delay in CVE assignment due to a backlog with Mitre. With the security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T355434, CVE-2024-34505) - Temporary account IP reveal does not check the deleted status
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/

CheckUser
+ (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f

ReportIncident
+ (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF token
https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e

IPInfo
+ (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF attacks
https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e

WikiDiscover
+ (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on Special:WikiDiscover
https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f

UnlinkedWikibase
+ (T357203, CVE-2024-34500) - XSS through interface message in UnlinkedWikibase
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175

WikibaseLexeme
+ (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET requests without edit tokens
https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d

Cargo
+ (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes inside backticks
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478

ManageWiki
+ (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84

CreateWiki
+ (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not escape escape interface messages
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

[1] https://phabricator.wikimedia.org/T353904
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles closed this task as Resolved.May 6 2024, 10:01 AM
Mstyles moved this task from In Progress to Done on the user-sbassett board.

Supplemental announcement is out!

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".May 6 2024, 10:01 AM
Mstyles changed the edit policy from "Subscribers" to "All Users".
Restricted Application added a subscriber: Reception123. · View Herald TranscriptMay 6 2024, 10:01 AM
sbassett awarded a token.May 6 2024, 4:19 PM
Reedy mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Jun 27 2024, 3:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits