Page MenuHomePhabricator
Create Task
Maniphest T361321

Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0)
Closed, ResolvedPublic
Actions

Description

Previous work: T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)

Maniphest IDExtension or SkinCVE IDREL1_39REL1_40REL1_41REL1_42master
T361293CheckUserCVE-2024-40606YesYesYesN/A - In master before REL1_42 splitYes
T361295CheckUserCVE-2024-40610YesYesYesN/A - In master before REL1_42 splitYes
T361296CheckUserCVE-2024-40608YesYesYesN/A - In master before REL1_42 splitYes
T361479CheckUserCVE-2024-40607YesYesYes, FixN/A - In master before REL1_42 splitYes
T326867CheckUserCVE-2024-40598Cannot be fixedCannot be fixedCannot be fixedCannot be fixedYes
T326865CheckUserCVE-2024-40597Cannot be fixedCannot be fixedCannot be fixedCannot be fixedYes
T338419CheckUserCVE-2024-40609YesYesYesYesYes
T268147CheckUserCVE-2024-40611N/AN/AN/AN/AN/A
T326866CheckUserCVE-2024-40596Cannot be fixedCannot be fixedCannot be fixedCannot be fixedYes and Yes
T361448GuMaxDDCVE-2024-40599NoYesYesNoYes
T361450NimbusCVE-2024-40604NoNoYesYesYes
T361451TempoCVE-2024-40602YesNoYesNoYes
T361452ForegroundCVE-2024-40605NoNoYesNoYes
T361453BlueLLCVE-2024-40612N/AN/AN/AN/AYes
T361449MetrolookCVE-2024-40600YesYesYesNoYes
T362588MediaWikiChatCVE-2024-40601NoNoNoNoYes
T363884ArticleRatingsCVE-2024-40603N/AN/AYesYesYes
T363773GadgetsCVE-2024-40613YesYesYesYesYes

Notes

  1. T326867, T326866 & T326865 cannot be effectively fixed before REL1_42 because it required database schema changes to fix and then large-scale changes to read rows from multiple tables (which would be difficult to backport). The issues are public, have low risk and the extension is not bundled, so it should be okay to leave unfixed in currently supported release versions.
  2. T268147 had no specific patches, because they were either included in other tasks or fixed via T345777.

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Mar 28 2024, 11:00 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2024, 11:00 PM
Reedy added a parent task: Restricted Task.Mar 28 2024, 11:00 PM
Reedy updated the task description. (Show Details)Mar 28 2024, 11:09 PM
sbassett changed the task status from Open to In Progress.Apr 2 2024, 5:40 PM
sbassett triaged this task as Low priority.
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added subscribers: Mstyles, mmartorana, Bawolff, RhinosF1.
sbassett subscribed.
sbassett updated the task description. (Show Details)Apr 2 2024, 5:53 PM
sbassett updated the task description. (Show Details)Apr 2 2024, 5:56 PM
sbassett mentioned this in T361448: CVE-2024-40599: GuMaxDD skin: stored XSS via MediaWiki:Sidebar.
sbassett mentioned this in T361450: CVE-2024-40604: Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar.Apr 2 2024, 5:59 PM
sbassett mentioned this in T361451: CVE-2024-40602: Tempo skin: stored XSS via MediaWiki:Sidebar.
sbassett mentioned this in T361452: CVE-2024-40605: Foreground skin: stored XSS via MediaWiki:Sidebar.
sbassett mentioned this in T361453: CVE-2024-40612: BlueLL skin: stored XSS via MediaWiki:Sidebar.
sbassett assigned this task to mmartorana.Apr 3 2024, 7:06 PM
sbassett added a subscriber: Dreamy_Jazz.
sbassett updated the task description. (Show Details)Apr 3 2024, 7:08 PM
sbassett updated the task description. (Show Details)Apr 3 2024, 7:11 PM
sbassett updated the task description. (Show Details)Apr 3 2024, 7:56 PM
sbassett updated the task description. (Show Details)Apr 3 2024, 9:17 PM
sbassett updated the task description. (Show Details)Apr 3 2024, 9:19 PM
Dreamy_Jazz updated the task description. (Show Details)Apr 4 2024, 7:38 PM
sbassett updated the task description. (Show Details)Apr 10 2024, 1:35 PM
Dreamy_Jazz updated the task description. (Show Details)Apr 15 2024, 5:41 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Apr 16 2024, 11:22 AM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Apr 23 2024, 3:09 PM
Dreamy_Jazz updated the task description. (Show Details)Apr 30 2024, 10:26 AM
Dreamy_Jazz updated the task description. (Show Details)Apr 30 2024, 1:36 PM
sbassett updated the task description. (Show Details)May 2 2024, 3:25 PM
sbassett updated the task description. (Show Details)May 14 2024, 9:10 PM
sbassett updated the task description. (Show Details)May 20 2024, 3:35 PM
sbassett updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)May 22 2024, 4:06 PM
Dreamy_Jazz updated the task description. (Show Details)May 28 2024, 10:27 AM
sbassett updated the task description. (Show Details)Jun 4 2024, 4:36 PM
Reedy mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Jun 27 2024, 3:23 PM
mmartorana updated the task description. (Show Details)Jul 3 2024, 2:18 PM
mmartorana updated the task description. (Show Details)Jul 3 2024, 2:22 PM
mmartorana updated the task description. (Show Details)Jul 8 2024, 3:16 PM
mmartorana updated the task description. (Show Details)Jul 8 2024, 3:25 PM
mmartorana updated the task description. (Show Details)Jul 8 2024, 3:45 PM
mmartorana added a comment.EditedJul 8 2024, 5:31 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)

Greetings-

With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T361293, CVE-2024-40606) - Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it
https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2

CheckUser
+ (T361295, CVE-2024-40610) - CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them
https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9

CheckUser
+ (T361296, CVE-2024-40608) - Special:Investigate exposes suppressed usernames to those who do not have the rights to see them
https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241

CheckUser
+ (T361479, CVE-2024-40607) - Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL
https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232

CheckUser
+ (T326867, CVE-2024-40598) - CheckUser API can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294

CheckUser
+ (T326865, CVE-2024-40597) - Special:CheckUser can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782

CheckUser
+ (T338419, CVE-2024-40609) - Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode
https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22

CheckUser
+ (T268147, CVE-2024-40611) - Special:CheckUser shows deleted edits to non-admins

CheckUser
+ (T326866, CVE-2024-40596) - Special:Investigate can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100

GuMaxDD
+ (T361448, CVE-2024-40599) - GuMaxDD skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a

Nimbus
+ (T361450, CVE-2024-40604) - Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar
https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad

Tempo
+ (T361451, CVE-2024-40602) - Tempo skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a

Foreground
+ (T361452, CVE-2024-40605) - Foreground skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344

BlueLL
+ (T361453, CVE-2024-40612) - BlueLL skin: stored XSS via MediaWiki:Sidebar
https://github.com/lingua-libre/BlueLL/pull/18

Metrolook
+ (T361449, CVE-2024-40600) - Metrolook skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e

MediaWikiChat
+ (T362588, CVE-2024-40601) - Classic CSRF in MediaWikiChat's API modules
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/1023496

ArticleRatings
+ (T363884, CVE-2024-40603) - Special:ChangeRating is vulnerable to CSRF
https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7

Gadgets
+ (T363773, CVE-2024-40613) - Evil regex used to process gadget definitions
https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T361321
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana updated the task description. (Show Details)Jul 10 2024, 8:49 AM
mmartorana closed this task as Resolved.Jul 10 2024, 9:22 AM

Supplemental announcement is out!

mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2024, 9:23 AM
mmartorana updated the task description. (Show Details)
sbassett awarded a token.Jul 19 2024, 4:42 PM
sbassett added a comment.Jul 19 2024, 4:45 PM

One minor note about this release: T363773#9971646

Reedy mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Sep 25 2024, 1:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits