Page MenuHomePhabricator
Create Task
Maniphest T382326

Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1)
Closed, ResolvedPublic
Actions

Description

Previous work: T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4)

Maniphest IDExtension or SkinCVE IDREL1_39REL1_42REL1_43master
T383472SimpleCalendarCVE-2025-32077YesYesYesYes
T384269VersionCompareCVE-2025-32078YesYesYesYes
T384244GrowthExperimentsCVE-2025-32079NoNoNoYes
T366402MobileFrontendCVE-2025-32080NoNoNoYes
T385935VisualDataCVE-2025-32076NoNoNoYes
T386175MediaWiki CoreCVE-2025-32072YesYesYesYes
T386337HTMLTagsCVE-2025-32073NoNoNoYes
T386908ConfirmAccountCVE-2025-32074YesYesYesYes
T386887TabsCVE-2025-32075YesYesYesYes
T386963GrowthExperimentsCVE-2025-32067NoNoNoYes
T336113OAuthCVE-2025-32068YesYesYesYes
T387691WikibaseMediaInfoCVE-2025-32069YesYesYesYes
T389590AJAXPollCVE-2025-32070YesYesYesYes
T389369WikibaseCVE-2025-32071YesYesYesYes

Notes

  • T381617 is technically complete, for now, and involved a few different extensions/mediawiki components. We should try to figure out a good way to include it within this release.
  • The "Feed Utils" issue (T386175) was actually a part of MediaWiki Core and should have been included within the respective core security release (T382316). Backports to supported release branches have been picked and will be merged soon (see above table).

Template

TxxxxxxExtNameCVE-2025-xxxxxNoNoNoNo

Details

TitleReferenceAuthorSource BranchDest Branch
Adding CVEs for 1.39.12 / 1.42.6 / 1.43.1 supplemental releaserepos/security/wikimedia-cve-assignments!4mstylesq4-supp-releasemain
Customize query in GitLab

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Dec 17 2024, 11:50 AM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 17 2024, 11:50 AM
Reedy added a parent task: Restricted Task.Dec 17 2024, 11:50 AM
Reedy added subscribers: mmartorana, Mstyles, sbassett.
sbassett assigned this task to Mstyles.Jan 13 2025, 8:44 PM
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett mentioned this in T366402: CVE-2025-32080: Cross-origin data leak in mobilefrontend via lazy load images.
sbassett added subscribers: Jdlrobson, Bawolff.
sbassett updated the task description. (Show Details)Jan 13 2025, 8:47 PM
Jly subscribed.Jan 14 2025, 6:30 PM
Jly updated the task description. (Show Details)Jan 15 2025, 10:32 AM
sbassett updated the task description. (Show Details)Jan 24 2025, 4:43 PM
sbassett updated the task description. (Show Details)Jan 24 2025, 4:50 PM
sbassett updated the task description. (Show Details)Jan 24 2025, 4:53 PM
Reedy renamed this task from Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.5/1.43.1) to Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Feb 3 2025, 5:35 PM
sbassett updated the task description. (Show Details)Feb 13 2025, 2:46 PM
sbassett updated the task description. (Show Details)Feb 13 2025, 2:48 PM
sbassett mentioned this in T386175: CVE-2025-32072: HTML injection in feed output from i18n message.Feb 14 2025, 3:53 PM
sbassett updated the task description. (Show Details)Feb 19 2025, 4:47 PM
sbassett updated the task description. (Show Details)Feb 19 2025, 6:10 PM
sbassett updated the task description. (Show Details)Feb 19 2025, 8:26 PM
sbassett updated the task description. (Show Details)Feb 21 2025, 3:09 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Feb 24 2025, 2:46 PM
sbassett updated the task description. (Show Details)Feb 24 2025, 10:27 PM
mmartorana updated the task description. (Show Details)Feb 26 2025, 4:47 PM
sbassett updated the task description. (Show Details)Feb 26 2025, 10:23 PM
sbassett updated the task description. (Show Details)Mar 8 2025, 1:13 AM
Lucas_Werkmeister_WMDE mentioned this in T387691: CVE-2025-32069: Wikitext stored XSS on filepages due to dangerous WBMI serialization.Mar 10 2025, 3:53 PM
WMDE-leszek added subscribers: matthiasmullie, MarkTraceur.Mar 12 2025, 4:51 PM
WMDE-leszek subscribed.
Lucas_Werkmeister_WMDE mentioned this in T389369: CVE-2025-32071: Wikibase CommonsInlineImageFormatter: i18n XSS from widthheight message via ImageHandler::getDimensionsString().Mar 19 2025, 3:35 PM
Tgr mentioned this in T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.Mar 20 2025, 1:24 PM
sbassett updated the task description. (Show Details)Mar 21 2025, 2:13 PM
Mstyles updated the task description. (Show Details)Wed, Mar 26, 5:34 AM
sbassett updated the task description. (Show Details)Tue, Apr 1, 9:34 PM
Mstyles updated the task description. (Show Details)Thu, Apr 3, 9:56 PM
Mstyles updated the task description. (Show Details)Fri, Apr 11, 1:35 AM
Mstyles updated the task description. (Show Details)Fri, Apr 11, 4:52 PM

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)

Greetings-

With the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

SimpleCalendar
+ (T383472, CVE-2025-32077) - XSSes in Extension:SimpleCalendar
https://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be

VersionCompare
+ (T384269, CVE-2025-32078) - XSSes and potential RCE in Special:VersionCompare
https://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0

GrowthExperiments
+ (T384244, CVE-2025-32079) - Saving the right content to MediaWiki:GrowthMentors.json can take down the site
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1114020

MobileFrontend
+ (T366402, CVE-2025-32080) - Cross-origin data leak in mobilefrontend via lazy load images
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/1123392

VisualData
+ (T385935, CVE-2025-32076) - Evil regex used to process user-provided data in VisualData
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732

FeedUtils
+ (T386175, CVE-2025-32072) - HTML injection in feed output from i18n message
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134

HTMLTags
+ (T386337, CVE-2025-32073) - System message XSS in HTMLTags
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056

ConfirmAccount
+ (T386908, CVE-2025-32074) - XSSes in Extension:ConfirmAccount
https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f

Tabs
+ (T386887, CVE-2025-32075) - IP and user agent leaks in Extension:Tabs
https://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092

GrowthExperiments
+ (T386963, CVE-2025-32067) - i18n XSS vulnerability in message growthexperiments
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163

OAuth
+ (T336113, CVE-2025-32068) - Revoking authorization of OAuth2 consumer does not invalidate refresh tokens
https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc

WikibaseMediaInfo
+ (T387691, CVE-2025-32069) - Wikitext stored XSS on filepages due to dangerous WBMI serialization
https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657

AJAXPoll
+ (T389590, CVE-2025-32070) - XSSes in AJAXPoll
https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c

Wikibbase
+ (T389369, CVE-2025-32071) - Wikibase CommonsInlineImageFormatter: i18n XSS
https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T382326
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

Mstyles updated the task description. (Show Details)Fri, Apr 11, 4:59 PM
sbassett closed this task as Resolved.Fri, Apr 11, 4:59 PM
sbassett triaged this task as Medium priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Subscribers" to "All Users".
Mstyles added a comment.Fri, Apr 11, 5:00 PM

Supplemental announcement is out!

Mstyles updated the task description. (Show Details)Fri, Apr 11, 5:12 PM
RhinosF1 reopened this task as Open.Fri, Apr 11, 5:35 PM
RhinosF1 subscribed.

Email linked and sent is

MediaWiki Extensions and Skins Security Release Supplement (1.39.9/1.41.3/1.42.2)

NOT

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)

sbassett added a comment.Fri, Apr 11, 8:27 PM
In T382326#10734414, @RhinosF1 wrote:

Email linked and sent is

MediaWiki Extensions and Skins Security Release Supplement (1.39.9/1.41.3/1.42.2)

NOT

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)

Yeah, we'll probably want to send out a quick correction email to the various mailing lists.

RhinosF1 added a comment.Fri, Apr 11, 8:37 PM

Given the entire email was the wrong version, I'd say it's probably a good idea to send out the correct supplement, yes.

sbassett added a comment.Fri, Apr 11, 8:40 PM
In T382326#10735013, @RhinosF1 wrote:

Given the entire email was the wrong version, I'd say it's probably a good idea to send out the correct supplement, yes.

Ugh, well, I just sent out a correction because I assumed the email content was at least correct :/

RhinosF1 added a comment.Fri, Apr 11, 8:42 PM
In T382326#10735023, @sbassett wrote:
In T382326#10735013, @RhinosF1 wrote:

Given the entire email was the wrong version, I'd say it's probably a good idea to send out the correct supplement, yes.

Ugh, well, I just sent out a correction because I assumed the email content was at least correct :/

Nope, you'll notice in the email all the CVEs are CVE-2024-XXXX

sbassett added a comment.EditedFri, Apr 11, 8:54 PM

Ok, updated release emails have now been sent:

I performed a quick data integrity check of the bugs, CVEs and gerrit URLs and they all seem correct, save one minor typo that I'm not worried about (Wikibbase)

sbassett closed this task as Resolved.Fri, Apr 11, 8:55 PM
sbassett updated the task description. (Show Details)Thu, Apr 17, 10:50 PM
sbassett updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits