Page MenuHomePhabricator
Create Task
Maniphest T375631

Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4)
Closed, ResolvedPublic
Actions

Description

Previous work: T361321: Write and send supplementary release announcement for extensions and skins with security patches (1.39.8/1.40.4/1.41.2/1.42.0), T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2)

Maniphest IDExtension or SkinCVE IDREL1_39REL1_41REL1_42master
T373265SocialProfileCVE-2025-23074NoPendingPendingYes
T377855GlobalBlockingCVE-2025-23073NoNoNoYes
T378885RefreshSpecialCVE-2025-23072NoPendingYesYes
T379749DataTransferCVE-2025-23081NoYesYes, Yes, YesYes, Yes, Yes, Yes, Yes, Yes, (several more - see bug)
T381220OpenBadgesCVE-2025-23080NoPendingYesYes
T381753ArticleFeedbackv5CVE-2025-23079NoYesYesYes
T382043BreadCrumbs2CVE-2025-23078NoNoYesYes

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Sep 25 2024, 1:43 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2024, 1:43 PM
Reedy added a parent task: Restricted Task.Sep 25 2024, 1:43 PM
Reedy updated the task description. (Show Details)Sep 25 2024, 1:49 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.39.10/1.41.4/1.42.3) to Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Sep 30 2024, 11:48 PM
Mstyles subscribed.Oct 5 2024, 1:18 AM

I'm not able to edit this ticket but I would like the following to be added since it didn't go in the previous release

T373265SocialProfileCVE-2024-xxxxxNoNoNoPending
Reedy changed the visibility from "Custom Policy" to "Custom Policy".Oct 5 2024, 10:22 PM
Reedy changed the edit policy from "Subscribers" to "Custom Policy".
Reedy added a comment.Oct 5 2024, 10:26 PM
In T375631#10204321, @Mstyles wrote:

I'm not able to edit this ticket but I would like the following to be added since it didn't go in the previous release

T373265SocialProfileCVE-2024-xxxxxNoNoNoPending

T307036: Update visibility and edit policies for the creation of "Write and send supplementary release..." tasks made it so this ticket you need to be a subscriber... Not a subscriber *or* in the acl*security...

But you're now subscribed (from your comment), so you'll be able to edit it.

I'll file a task about trying to improve it... Depending on how complex it is, it might be easier to just default add some subscribers...

Reedy added a comment.Oct 6 2024, 12:01 AM

I've added us all as subscribers by default in T376553: Add default subscribers in make-security-tasks/makesecuritytasks.py. Pending a "better" solution in T376551: Complex acl for make-security-tasks/makesecuritytasks.py.

sbassett added subscribers: Bawolff-alt, RhinosF1, sbassett.Oct 7 2024, 3:04 PM
In T375631#10205020, @Reedy wrote:

I've added us all as subscribers by default in T376553: Add default subscribers in make-security-tasks/makesecuritytasks.py. Pending a "better" solution in T376551: Complex acl for make-security-tasks/makesecuritytasks.py.

Thanks. Yeah, I know this is a little awkward, but I still feel T307036 was necessary as the supplemental release very often involves coordination with volunteers/community.

sbassett added a project: user-sbassett.Oct 7 2024, 3:04 PM
sbassett updated the task description. (Show Details)
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett edited subscribers, added: Bawolff; removed: Bawolff-alt.
Mstyles updated the task description. (Show Details)Oct 8 2024, 12:40 AM
sbassett updated the task description. (Show Details)Oct 8 2024, 2:02 AM
Mstyles updated the task description. (Show Details)Oct 21 2024, 4:23 PM
sbassett updated the task description. (Show Details)Oct 31 2024, 4:38 PM
sbassett updated the task description. (Show Details)Nov 6 2024, 5:46 PM
sbassett updated the task description. (Show Details)Nov 8 2024, 7:13 PM
sbassett updated the task description. (Show Details)Nov 13 2024, 3:37 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Nov 19 2024, 3:47 PM
sbassett updated the task description. (Show Details)Nov 21 2024, 5:02 PM
Mstyles updated the task description. (Show Details)Dec 2 2024, 5:26 PM
sbassett mentioned this in T381617: XSS in Charts extension combined with TemplateStyles, LanguageConverter, ToC.Dec 10 2024, 8:28 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)
mmartorana updated the task description. (Show Details)Dec 11 2024, 2:08 PM
Aklapper updated the task description. (Show Details)Dec 11 2024, 9:05 PM
mmartorana updated the task description. (Show Details)Dec 19 2024, 3:31 PM
mmartorana updated the task description. (Show Details)Jan 10 2025, 4:27 PM
mmartorana updated the task description. (Show Details)Jan 10 2025, 4:29 PM
mmartorana updated the task description. (Show Details)Jan 10 2025, 4:44 PM
mmartorana updated the task description. (Show Details)Jan 10 2025, 7:06 PM
sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Jan 13 2025, 8:47 PM
sbassett updated the task description. (Show Details)Jan 13 2025, 9:13 PM
sbassett updated the task description. (Show Details)Jan 13 2025, 9:23 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 4:41 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 4:57 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 6:30 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 6:59 PM
mmartorana subscribed.Jan 14 2025, 7:16 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.11/1.41.5/1.42.4)

Greetings-

With the security/maintenance release of MediaWiki 1.39.11/1.41.5/1.42.4, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

SocialProfile
+ (T373265, CVE-2025-23074) - Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)
https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a

GlobalBlocking
+ (T377855, CVE-2025-23073) - API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter
https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486

RefreshSpecial
+ (T378885, CVE-2025-23072) - XSS in Special:RefreshSpecial
https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc

DataTransfer
+ (T379749, CVE-2025-23081) - Various security vulnerabilities in Extension:DataTransfer
https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3
https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7
https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9
https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451

OpenBadges
+ (T381220, CVE-2025-23080) - XSSes in Special:BadgeView
https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2

ArticleFeedbackv5
+ (T381753, CVE-2025-23079) - XSSes in Extension:ArticleFeedbackv5
https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3

BreadCrumbs2
+ (T382043, CVE-2025-23078) - XSS in BreadCrumbs2
https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T375631
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

mmartorana claimed this task.Jan 14 2025, 7:16 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 7:23 PM
mmartorana updated the task description. (Show Details)Jan 14 2025, 7:32 PM
mmartorana updated the task description. (Show Details)
mmartorana updated the task description. (Show Details)Jan 14 2025, 7:37 PM
mmartorana updated the task description. (Show Details)
sbassett closed this task as Resolved.Jan 14 2025, 7:44 PM
sbassett triaged this task as Medium priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
mmartorana added a comment.Jan 14 2025, 7:51 PM

Supplemental announcement is out!

sbassett moved this task from In Progress to Done on the user-sbassett board.Jan 14 2025, 7:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits