Page MenuHomePhabricator
Create Task
Maniphest T368628

Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2)
Closed, ResolvedPublicSecurity
Actions

Description

Previous work: T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0) / T353904: Write and send supplementary release announcement for extensions and skins with security patches (1.39.7/1.40.3/1.41.1)

Maniphest IDExtension or SkinCVE IDREL1_39REL1_41REL1_42master
T366991PageTriageCVE-2024-47848NoNoYesYes
T368594CSSCVE-2024-47845NoNoYesYes
T370022WidgetsCVE-2024-35226YesNoYesYes
T370632CargoCVE-2024-47849NoNoNoYes
T372209CargoCVE-2024-47846NoNoNoYes
T372211CargoCVE-2024-47847NoNoNoYes (1, 2, 3, 4)
T370081ApexCVE-2024-47840NoNoYesYes
T369486CSSCVE-2024-47841NoNoYesYes
T375358DataTransferCVE-2024-45048, CVE-2024-45046YesNoNoYes

Template

TxxxxxxExtNameCVE-2024-xxxxxNoNoNoNo

Notes

  1. T373889 - ext:CommunityConfiguration briefly had XSS issues on the beta cluster

Details

Risk Rating
Informational
Author Affiliation
WMF Technology

Related Objects
Search...

Event Timeline

Reedy created this task.Jun 27 2024, 3:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2024, 3:22 PM
Reedy added a parent task: Restricted Task.Jun 27 2024, 3:22 PM
Reedy edited projects, added MediaWiki-Releasing; removed Security-Team.
Reedy updated the task description. (Show Details)
sbassett changed the task status from Open to In Progress.Jul 8 2024, 9:15 PM
sbassett triaged this task as Medium priority.
sbassett changed Author Affiliation from N/A to WMF Technology.
sbassett updated the task description. (Show Details)
sbassett changed Risk Rating from N/A to Informational.
sbassett updated the task description. (Show Details)
sbassett added subscribers: mmartorana, Mstyles, Bawolff, RhinosF1.
sbassett subscribed.
sbassett updated the task description. (Show Details)Jul 8 2024, 9:20 PM
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett updated the task description. (Show Details)Jul 16 2024, 11:43 PM
sbassett updated the task description. (Show Details)Jul 22 2024, 4:48 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Jul 22 2024, 5:36 PM
sbassett updated the task description. (Show Details)Aug 15 2024, 3:05 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Aug 19 2024, 3:14 PM
sbassett added a subscriber: Redmin.
sbassett mentioned this in T370081: CVE-2024-47840: Stored XSS through sidebar in Apex skin.Aug 19 2024, 3:17 PM
sbassett updated the task description. (Show Details)Aug 20 2024, 1:57 PM
sbassett updated the task description. (Show Details)Aug 26 2024, 4:20 PM
Mstyles updated the task description. (Show Details)Aug 30 2024, 12:46 AM
sbassett updated the task description. (Show Details)Sep 5 2024, 3:06 PM
sbassett updated the task description. (Show Details)Sep 23 2024, 3:53 PM
sbassett updated the task description. (Show Details)Sep 23 2024, 3:56 PM
Reedy mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Sep 25 2024, 1:49 PM
Mstyles updated the task description. (Show Details)Sep 30 2024, 8:59 PM
Mstyles updated the task description. (Show Details)Oct 5 2024, 12:16 AM
Mstyles updated the task description. (Show Details)Oct 5 2024, 1:21 AM
Mstyles added a comment.Oct 5 2024, 1:40 AM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.9/1.41.3/1.42.2)

Greetings-

With the security/maintenance release of MediaWiki 1.39.9/1.41.3/1.42.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

PageTriage
+ (T366991, CVE-2024-47848) - User can review/unreview articles while blocked
https://gerrit.wikimedia.org/r/q/I0288a715f7040a14ab7f70b2888fe1ef77a44588

CSS
+ (T368594, CVE-2024-47845) - CSS sanitizer used incorrectly
https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53

Widgets
+ (T370022, CVE-2024-35226) - smarty library version has CVE
https://gerrit.wikimedia.org/r/q/I18f161c338f8c52477a766524c255a31879d5e63

Cargo
+ (T370632, CVE-2024-47849) - Backticks can allow the usage of not-allowed SQL functions
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963

Cargo
+ (T372209, CVE-2024-47846) - Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723

Cargo
+ (T372211, CVE-2024-47847) - Various XSSes found in Cargo
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063804
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063806
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063827
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063831

Apex
+ (T370081, CVE-2024-47840) - Stored XSS through sidebar
https://gerrit.wikimedia.org/r/q/Id9093783051c3f8e6dcb5dc89f9493a5f5cf7bd7

CSS
+ (T369486, CVE-2024-47841) - Path traversal when loading stylesheets
https://gerrit.wikimedia.org/r/q/I46613d8d50fc978bdac58e2b312ee03324c1edc8

DataTransfer
+ (T375358, CVE-2024-45048, CVE-2024-45046) - vulnerable version of phpoffice/phpspreadsheet
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1074761

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T368628
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles closed this task as Resolved.Oct 5 2024, 1:46 AM
Mstyles claimed this task.

Supplemental announcement is out!

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 5 2024, 1:47 AM
Mstyles changed the edit policy from "Custom Policy" to "All Users".
sbassett updated the task description. (Show Details)Oct 7 2024, 2:52 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Oct 7 2024, 2:55 PM
sbassett updated the task description. (Show Details)
sbassett removed a project: user-sbassett.Oct 7 2024, 3:02 PM
sbassett mentioned this in T366991: CVE-2024-47848: User can review/unreview articles while blocked.Oct 22 2024, 2:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits