Page MenuHomePhabricator
Create Task
Maniphest T87275

MediaWiki Security release 1.24.2
Closed, ResolvedPublic
Actions

Assigned To
csteipp
Authored By
csteipp
Jan 20 2015, 11:02 PM
Tags
Referenced Files
F107424: mediawiki-1.23.9.patch.gz
Mar 31 2015, 1:34 PM
F107423: mediawiki-1.19.24.patch.gz
Mar 31 2015, 1:34 PM
F107425: mediawiki-1.24.2.patch.gz
Mar 31 2015, 1:34 PM
F107420: mediawiki-i18n-1.23.9.patch.gz
Mar 31 2015, 1:34 PM
F107421: mediawiki-i18n-1.24.2.patch.gz
Mar 31 2015, 1:34 PM
F107422: mediawiki-i18n-1.19.24.patch.gz
Mar 31 2015, 1:34 PM
Subscribers
Aklapper
csteipp
greg
Grunny
He7d3r
Krenair
ProgramCeltic

Related Objects
Search...

Event Timeline

csteipp created this task.Jan 20 2015, 11:02 PM
csteipp claimed this task.
csteipp raised the priority of this task from to Medium.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2015, 11:02 PM
csteipp added subtasks: T86711: Fix SVG blacklist for animate, T85850: Stored XSS in SVG via embedded SVG, T85858: Check User page lacks CSRF protection, T64685: Extremely large passwords as DoS, T73394: XSS in language converter when used with Html class's tricky escaping, T85349: SVG @import style validation bypass, T85851: Reflected XSS in api.php using wddx formatting, T85848: Billion Laughs attack in SVG and XMP Metadata, T85113: Function names aren't sanitized in Lua error backtraces.Jan 20 2015, 11:08 PM
csteipp closed subtask T86711: Fix SVG blacklist for animate as Resolved.Jan 20 2015, 11:11 PM
csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.
csteipp closed subtask T85858: Check User page lacks CSRF protection as Resolved.
csteipp closed subtask T85349: SVG @import style validation bypass as Resolved.Jan 20 2015, 11:13 PM
csteipp closed subtask T85113: Function names aren't sanitized in Lua error backtraces as Resolved.Jan 20 2015, 11:15 PM
csteipp closed subtask T64685: Extremely large passwords as DoS as Resolved.Jan 23 2015, 8:10 PM
csteipp reopened subtask T85850: Stored XSS in SVG via embedded SVG as Open.Jan 28 2015, 12:26 AM
Legoktm added a parent task: T88120: Release MW 1.24.2 and 1.23.9 tarballs.Jan 30 2015, 9:43 PM
csteipp closed subtask T85850: Stored XSS in SVG via embedded SVG as Resolved.Feb 17 2015, 11:56 PM
csteipp added subtasks: T89745: Stored XSS in PDF files, T89744: External reference in PDF.Feb 21 2015, 12:46 AM
Aklapper added a comment.Feb 24 2015, 2:14 PM

Wondering whether to also add T72510 which has a patch waiting since December.

csteipp closed subtask T85848: Billion Laughs attack in SVG and XMP Metadata as Resolved.Mar 17 2015, 11:33 PM
csteipp added a subtask: T88310: xml_parse doesn't expand internal entities sometimes.Mar 19 2015, 8:20 PM
csteipp added a subtask: T71210: MediaWiki is vulnerable to XML quadratic blowup attacks.Mar 19 2015, 9:17 PM
csteipp added a subtask: T85855: Custom JavaScript may yield privilege escalation.Mar 25 2015, 10:35 PM
csteipp closed subtask T71210: MediaWiki is vulnerable to XML quadratic blowup attacks as Resolved.Mar 28 2015, 5:17 AM
csteipp closed subtask T73394: XSS in language converter when used with Html class's tricky escaping as Resolved.Mar 28 2015, 5:22 AM
csteipp closed subtask T85851: Reflected XSS in api.php using wddx formatting as Resolved.Mar 28 2015, 5:27 AM
csteipp added subscribers: Grunny, ProgramCeltic.Mar 30 2015, 7:56 PM
csteipp removed subtasks: T89744: External reference in PDF, T89745: Stored XSS in PDF files.Mar 30 2015, 8:00 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:39 PM
csteipp added a comment.Mar 31 2015, 1:34 PM

mediawiki-i18n-1.23.9.patch.gz20 BDownload

mediawiki-i18n-1.24.2.patch.gz20 BDownload

mediawiki-i18n-1.19.24.patch.gz20 BDownload

mediawiki-1.19.24.patch.gz8 KBDownload

mediawiki-1.23.9.patch.gz20 KBDownload

mediawiki-1.24.2.patch.gz28 KBDownload

Apparently phabricator can't upload more than 10MB, so I can't post the full versions yet..

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:13 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
Aklapper mentioned this in T94564: Increase Phabricator max upload size.Apr 1 2015, 2:02 PM
greg closed this task as Resolved.Apr 1 2015, 2:55 PM
greg subscribed.

Thanks Chris.

csteipp mentioned this in T94565: Adding users to CC on Phabricator security tasks doesn't add them to the view/edit policy.Apr 1 2015, 6:27 PM
He7d3r subscribed.Apr 3 2015, 11:16 PM

Was the security audit published somewhere e.g. on mw.org or wikitech?

Krenair subscribed.Apr 3 2015, 11:19 PM

Not yet, but T85862 intends to make it public when all of the issues are resolved.

chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL