Page MenuHomePhabricator
People SecurityPatchBot

SecurityPatchBot
Security Patch Failure Notification BotBot

Projects (4)
View All

Calendar

Today

  • No visible events.

Tomorrow

  • No visible events.

Tuesday

  • No visible events.

User Details

User Since
Feb 6 2024, 3:43 PM (105 w, 4 d)
Roles
Bot
Availability
Available
LDAP User
Unknown
MediaWiki User
Unknown

This bot is used to ping security patch tasks when their corresponding patch fails to apply for a MediaWiki branch.

Owned by @jnuche and Release-Engineering-Team

For more details: T350065: Notify MediaWiki security tasks as soon as an uploaded patch fails to apply

Profile picture icon.

Recent Activity
View All

Wed, Jan 28

SecurityPatchBot added a subtask for T413805: 1.46.0-wmf.14 deployment blockers: Unknown Object (Task).
Wed, Jan 28, 12:54 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot changed the status of Restricted Task, a subtask of T413805: 1.46.0-wmf.14 deployment blockers, from In Progress to Open.
Wed, Jan 28, 12:54 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Jan 13 2026

SecurityPatchBot added a comment to T410560: CVE-2026-0817: CampaignEvents API missing authorization exposes meeting and chat URLs.

If the patch needs to be rebased

Jan 13 2026, 2:26 AM · Patch-For-Review, SecTeam-Processed, Connection-Team (Connection-Current-Sprint), Vuln-Infoleak, CampaignEvents, Security, Security-Team

Jan 10 2026

SecurityPatchBot changed the status of T410560: CVE-2026-0817: CampaignEvents API missing authorization exposes meeting and chat URLs from In Progress to Open.

If the patch needs to be rebased

Jan 10 2026, 12:55 AM · Patch-For-Review, SecTeam-Processed, Connection-Team (Connection-Current-Sprint), Vuln-Infoleak, CampaignEvents, Security, Security-Team
SecurityPatchBot added a subtask for T413802: 1.46.0-wmf.11 deployment blockers: T410560: CVE-2026-0817: CampaignEvents API missing authorization exposes meeting and chat URLs.
Jan 10 2026, 12:55 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot changed the status of T410560: CVE-2026-0817: CampaignEvents API missing authorization exposes meeting and chat URLs, a subtask of T413802: 1.46.0-wmf.11 deployment blockers, from In Progress to Open.
Jan 10 2026, 12:55 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Jan 9 2026

SecurityPatchBot added a subtask for T413802: 1.46.0-wmf.11 deployment blockers: Unknown Object (Task).
Jan 9 2026, 12:53 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened Restricted Task, a subtask of T413802: 1.46.0-wmf.11 deployment blockers, as Open.
Jan 9 2026, 12:53 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Nov 20 2025

SecurityPatchBot added a subtask for T408274: 1.46.0-wmf.4 deployment blockers: T409743: English Wikibooks main page subpages under cascading protection are editable by anyone, and MP stylesheets do not display protection messages to non-admins.
Nov 20 2025, 12:55 AM · User-brennen, Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T409743: English Wikibooks main page subpages under cascading protection are editable by anyone, and MP stylesheets do not display protection messages to non-admins, a subtask of T408274: 1.46.0-wmf.4 deployment blockers, as Open.
Nov 20 2025, 12:55 AM · User-brennen, Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T409743: English Wikibooks main page subpages under cascading protection are editable by anyone, and MP stylesheets do not display protection messages to non-admins as "Open".

If the patch needs to be rebased

Nov 20 2025, 12:55 AM · MW-1.46-notes (1.46.0-wmf.4; 2025-11-25), MW-1.45-release, Regression, SecTeam-Processed, MediaWiki-Page-editing, MediaWiki-Page-protection, Security-Team, Security

Sep 30 2025

SecurityPatchBot added a subtask for T405677: 1.45.0-wmf.21 deployment blockers: Unknown Object (Task).
Sep 30 2025, 1:32 AM · User-brennen, Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Sep 16 2025

SecurityPatchBot added a comment to T401220: CVE-2025-62666: CirrusSearch: DoS vector through the cirrusbuilddoc query API.

If the patch needs to be rebased

Sep 16 2025, 1:27 AM · Patch-For-Review, Essential-Work, Discovery-Search (2025.09.05 - 2025.09.26), serviceops, SecTeam-Processed, CirrusSearch, Vuln-DoS, Security, Security-Team

Sep 15 2025

SecurityPatchBot added a subtask for T396380: 1.45.0-wmf.19 deployment blockers: T401220: CVE-2025-62666: CirrusSearch: DoS vector through the cirrusbuilddoc query API.
Sep 15 2025, 11:55 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot changed the status of T401220: CVE-2025-62666: CirrusSearch: DoS vector through the cirrusbuilddoc query API, a subtask of T396380: 1.45.0-wmf.19 deployment blockers, from In Progress to Open.
Sep 15 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot changed the status of T401220: CVE-2025-62666: CirrusSearch: DoS vector through the cirrusbuilddoc query API from In Progress to Open.

If the patch needs to be rebased

Sep 15 2025, 11:54 PM · Patch-For-Review, Essential-Work, Discovery-Search (2025.09.05 - 2025.09.26), serviceops, SecTeam-Processed, CirrusSearch, Vuln-DoS, Security, Security-Team

Sep 14 2025

SecurityPatchBot raised the priority of T404392: Arbitrary HTML injection through error display on Wikifunctions from High to Unbreak Now!.

If the patch needs to be rebased

Sep 14 2025, 11:54 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.18; 2025-09-09), Vuln-XSS, Abstract Wikipedia team (26Q1 (Jul–Sep)), Essential-Work, WikiLambda, WikiLambda Front-end, Security, Security-Team

Sep 13 2025

SecurityPatchBot changed the status of T404392: Arbitrary HTML injection through error display on Wikifunctions, a subtask of T396380: 1.45.0-wmf.19 deployment blockers, from In Progress to Open.
Sep 13 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot changed the status of T404392: Arbitrary HTML injection through error display on Wikifunctions from In Progress to Open.

If the patch needs to be rebased

Sep 13 2025, 11:53 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.18; 2025-09-09), Vuln-XSS, Abstract Wikipedia team (26Q1 (Jul–Sep)), Essential-Work, WikiLambda, WikiLambda Front-end, Security, Security-Team

Sep 12 2025

SecurityPatchBot added a subtask for T396380: 1.45.0-wmf.19 deployment blockers: T404392: Arbitrary HTML injection through error display on Wikifunctions.
Sep 12 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot changed the status of T404392: Arbitrary HTML injection through error display on Wikifunctions, a subtask of T396380: 1.45.0-wmf.19 deployment blockers, from In Progress to Open.
Sep 12 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot changed the status of T404392: Arbitrary HTML injection through error display on Wikifunctions from In Progress to Open.

If the patch needs to be rebased

Sep 12 2025, 11:54 PM · SecTeam-Processed, MW-1.45-notes (1.45.0-wmf.18; 2025-09-09), Vuln-XSS, Abstract Wikipedia team (26Q1 (Jul–Sep)), Essential-Work, WikiLambda, WikiLambda Front-end, Security, Security-Team

Sep 10 2025

SecurityPatchBot triaged T403289: CVE-2025-61650: UserInfoCard is vulnerable to message key stored XSS as Unbreak Now! priority.

If the patch needs to be rebased

Sep 10 2025, 11:55 PM · Essential-Work, Product Safety and Integrity, SecTeam-Processed, OKR-Work, Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Vuln-XSS, CheckUser-UserInfoCard, Security, Security-Team
SecurityPatchBot added a subtask for T396380: 1.45.0-wmf.19 deployment blockers: T403289: CVE-2025-61650: UserInfoCard is vulnerable to message key stored XSS.
Sep 10 2025, 11:55 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Aug 29 2025

SecurityPatchBot added a subtask for T396378: 1.45.0-wmf.17 deployment blockers: Unknown Object (Task).
Aug 29 2025, 11:55 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Aug 25 2025

SecurityPatchBot added a subtask for T396377: 1.45.0-wmf.16 deployment blockers: Unknown Object (Task).
Aug 25 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot added a subtask for T396377: 1.45.0-wmf.16 deployment blockers: Unknown Object (Task).
Aug 25 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Aug 21 2025

SecurityPatchBot added a subtask for T396377: 1.45.0-wmf.16 deployment blockers: Unknown Object (Task).
Aug 21 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Aug 19 2025

SecurityPatchBot added a subtask for T396377: 1.45.0-wmf.16 deployment blockers: Unknown Object (Task).
Aug 19 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Aug 18 2025

SecurityPatchBot added a subtask for T396376: 1.45.0-wmf.15 deployment blockers: Unknown Object (Task).
Aug 18 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot changed the status of Restricted Task, a subtask of T396376: 1.45.0-wmf.15 deployment blockers, from In Progress to Open.
Aug 18 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Aug 11 2025

SecurityPatchBot added a subtask for T396375: 1.45.0-wmf.14 deployment blockers: Unknown Object (Task).
Aug 11 2025, 11:54 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Jul 7 2025

SecurityPatchBot reopened T396413: CVE-2025-53497: Stored XSS in RelatedArticles as "Open".

Patch 01-T396413.patch is currently failing to apply for the most recent code in the mainline branch of extensions/RelatedArticles. This is blocking MediaWiki release 1.45.0-wmf.9(T392179)

Jul 7 2025, 11:53 PM · Web-Team, RelatedArticles, affects-Miraheze, Vuln-XSS, Security, Security-Team
SecurityPatchBot added a subtask for T392179: 1.45.0-wmf.9 deployment blockers: T396413: CVE-2025-53497: Stored XSS in RelatedArticles.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T396413: CVE-2025-53497: Stored XSS in RelatedArticles, a subtask of T392179: 1.45.0-wmf.9 deployment blockers, as Open.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS as "Open".

Patch 01-T394397.patch is currently failing to apply for the most recent code in the mainline branch of extensions/FlaggedRevs. This is blocking MediaWiki release 1.45.0-wmf.9(T392179)

Jul 7 2025, 11:53 PM · SecTeam-Processed, FlaggedRevs, Vuln-XSS, Security, Security-Team
SecurityPatchBot added a subtask for T392179: 1.45.0-wmf.9 deployment blockers: T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>, a subtask of T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter, as Open.
Jul 7 2025, 11:53 PM · User-notice-archive, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Trust and Safety Product Team, Epic, WE4.2 Anti-abuse, User-kostajh, MediaWiki-extensions-IPReputation, AbuseFilter
SecurityPatchBot reopened T394397: CVE-2025-53491: Special:PendingChanges vulnerable to i18n XSS, a subtask of T392179: 1.45.0-wmf.9 deployment blockers, as Open.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> as "Open".

Patch 01-T396750.patch is currently failing to apply for the most recent code in the mainline branch of extensions/AbuseFilter. This is blocking MediaWiki release 1.45.0-wmf.9(T392179)

Jul 7 2025, 11:53 PM · OKR-Work, SecTeam-Processed, Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)), Vuln-MissingAuthz, Vuln-Infoleak, MediaWiki-extensions-IPReputation, AbuseFilter, Trust and Safety Product Team, Security, Security-Team
SecurityPatchBot added a subtask for T392179: 1.45.0-wmf.9 deployment blockers: T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>, a subtask of T392179: 1.45.0-wmf.9 deployment blockers, as Open.
Jul 7 2025, 11:53 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments

Jul 1 2025

SecurityPatchBot added a subtask for T392178: 1.45.0-wmf.8 deployment blockers: T391343: CVE-2025-6589: With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList.
Jul 1 2025, 1:23 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T391343: CVE-2025-6589: With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList, a subtask of T392178: 1.45.0-wmf.8 deployment blockers, as Open.
Jul 1 2025, 1:23 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T391343: CVE-2025-6589: With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList as "Open".

Patch 04-T391343.patch is currently failing to apply for the most recent code in the mainline branch of core. This is blocking MediaWiki release 1.45.0-wmf.8(T392178)

Jul 1 2025, 1:23 AM · MW-1.42-release, MW-1.43-release, MW-1.44-release, Security-Team, Community-Tech (Sea Lion Squad), Multiblocks (Actual multiblocks), SecTeam-Processed, Vuln-Infoleak, Security

Jun 30 2025

SecurityPatchBot added a subtask for T392178: 1.45.0-wmf.8 deployment blockers: T392746: CVE-2025-6590: Complete content leak of private wikis due to PasswordReset Wikitext injection in error message.
Jun 30 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T392746: CVE-2025-6590: Complete content leak of private wikis due to PasswordReset Wikitext injection in error message, a subtask of T392178: 1.45.0-wmf.8 deployment blockers, as Open.
Jun 30 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
SecurityPatchBot reopened T392746: CVE-2025-6590: Complete content leak of private wikis due to PasswordReset Wikitext injection in error message as "Open".

Patch 02-T392746.patch is currently failing to apply for the most recent code in the mainline branch of core. This is blocking MediaWiki release 1.45.0-wmf.8(T392178)

Jun 30 2025, 11:52 PM · MW-1.39-release, MW-1.42-release, MW-1.43-release, MW-1.44-notes, SecTeam-Processed, MediaWiki-User-login-and-signup, MediaWiki-HTMLForm, Vuln-Infoleak, Security, Security-Team

Jun 26 2025

SecurityPatchBot added a subtask for T392178: 1.45.0-wmf.8 deployment blockers: Unknown Object (Task).
Jun 26 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Jun 10 2025

SecurityPatchBot changed the status of T395730: Stored XSS through system messages in TemplateData, a subtask of T392175: 1.45.0-wmf.5 deployment blockers, from In Progress to Open.
Jun 10 2025, 1:26 AM · Essential-Work, Release-Engineering-Team (Doing 😎), User-brennen, Release, Train Deployments
SecurityPatchBot changed the status of T395730: Stored XSS through system messages in TemplateData from In Progress to Open.

Patch 01-T395730.patch is currently failing to apply for the most recent code in the mainline branch of extensions/TemplateData. This is blocking MediaWiki release 1.45.0-wmf.5(T392175)

Jun 10 2025, 1:25 AM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team

Jun 9 2025

SecurityPatchBot added a subtask for T392175: 1.45.0-wmf.5 deployment blockers: T395730: Stored XSS through system messages in TemplateData.
Jun 9 2025, 11:52 PM · Essential-Work, Release-Engineering-Team (Doing 😎), User-brennen, Release, Train Deployments
SecurityPatchBot triaged T395730: Stored XSS through system messages in TemplateData as Unbreak Now! priority.

Patch 01-T395730.patch is currently failing to apply for the most recent code in the mainline branch of extensions/TemplateData. This is blocking MediaWiki release 1.45.0-wmf.5(T392175)

Jun 9 2025, 11:52 PM · VisualEditor, Community-Tech, Template-Discovery-And-Recall, SecTeam-Processed, TemplateData, affects-Miraheze, Vuln-XSS, Security, Security-Team

May 23 2025

SecurityPatchBot added a subtask for T392173: 1.45.0-wmf.3 deployment blockers: T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation.
May 23 2025, 11:52 PM · Release-Engineering-Team (Priority Backlog 📥), Essential-Work, Release, Train Deployments
SecurityPatchBot changed the status of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation, a subtask of T392173: 1.45.0-wmf.3 deployment blockers, from In Progress to Open.
May 23 2025, 11:52 PM · Release-Engineering-Team (Priority Backlog 📥), Essential-Work, Release, Train Deployments
SecurityPatchBot changed the status of T392341: CVE-2025-53483, CVE-2025-53484, CVE-2025-53485: SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation from In Progress to Open.

Patch 01-T392341.patch is currently failing to apply for the most recent code in the mainline branch of extensions/SecurePoll. This is blocking MediaWiki release 1.45.0-wmf.3(T392173)

May 23 2025, 11:52 PM · Trust and Safety Product Sprint (Sprint Princess Tarta (August 18 - September 5)), Essential-Work, Patch-For-Review, Trust and Safety Product Team, Vuln-BrokenAccessControl, affects-Miraheze, Vuln-CSRF, Vuln-XSS, MediaWiki-extensions-SecurePoll, Security, Security-Team

May 16 2025

SecurityPatchBot reopened T392976: CVE-2025-53481: Denial of service vector on ipinfo/v0/norevision as "Open".

Patch 01-T392976.patch is currently failing to apply for the most recent code in the mainline branch of extensions/IPInfo. This is blocking MediaWiki release 1.45.0-wmf.2(T392172)

May 16 2025, 11:52 PM · MW-1.45-notes (1.45.0-wmf.2; 2025-05-20), Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)), Data-Persistence, Vuln-DoS, IP Info, Trust and Safety Product Team, Security, Security-Team
SecurityPatchBot added a subtask for T392172: 1.45.0-wmf.2 deployment blockers: T392976: CVE-2025-53481: Denial of service vector on ipinfo/v0/norevision.
May 16 2025, 11:52 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments
SecurityPatchBot reopened T392976: CVE-2025-53481: Denial of service vector on ipinfo/v0/norevision, a subtask of T392172: 1.45.0-wmf.2 deployment blockers, as Open.
May 16 2025, 11:52 PM · Release-Engineering-Team (Doing 😎), Essential-Work, Release, Train Deployments

May 4 2025

SecurityPatchBot added a subtask for T386223: 1.44.0-wmf.28 deployment blockers: Unknown Object (Task).
May 4 2025, 11:53 PM · MW-1.44-notes (1.44.0-wmf.27; 2025-04-29), Release-Engineering-Team (Priority Backlog 📥), Essential-Work, Release, Train Deployments

Apr 26 2025

SecurityPatchBot added a subtask for T386222: 1.44.0-wmf.27 deployment blockers: T386826: Placing unexpected data in MediaWiki:GrowthMentors.json causes internal errors.
Apr 26 2025, 11:57 PM · Release-Engineering-Team (Priority Backlog 📥), Essential-Work, Release, Train Deployments
SecurityPatchBot raised the priority of T386826: Placing unexpected data in MediaWiki:GrowthMentors.json causes internal errors from High to Unbreak Now!.

Patch 03-T386826.patch is currently failing to apply for the most recent code in the mainline branch of extensions/GrowthExperiments. This is blocking MediaWiki release 1.44.0-wmf.27(T386222)

Apr 26 2025, 11:57 PM · MW-1.44-notes (1.44.0-wmf.19; 2025-03-04), Growth-Team (Current Sprint), Vuln-DoS, SecTeam-Processed, GrowthExperiments-Mentorship, Security

Apr 11 2025

SecurityPatchBot triaged T389369: CVE-2025-32071: Wikibase CommonsInlineImageFormatter: i18n XSS from widthheight message via ImageHandler::getDimensionsString() as Unbreak Now! priority.

Patch 01-T389369.patch is currently failing to apply for the most recent code in the mainline branch of extensions/Wikibase. This is blocking MediaWiki release 1.44.0-wmf.25(T386220)

Apr 11 2025, 11:53 PM · Patch-For-Review, SecTeam-Processed, Vuln-XSS, Wikidata, Security, Security-Team
SecurityPatchBot added a subtask for T386220: 1.44.0-wmf.25 deployment blockers: T389369: CVE-2025-32071: Wikibase CommonsInlineImageFormatter: i18n XSS from widthheight message via ImageHandler::getDimensionsString().
Apr 11 2025, 11:53 PM · Essential-Work, Release-Engineering-Team (Doing 😎), Release, Train Deployments

Mar 27 2025

SecurityPatchBot added a subtask for T386218: 1.44.0-wmf.23 deployment blockers: Unknown Object (Task).
Mar 27 2025, 10:05 AM · Essential-Work, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Mar 22 2025

SecurityPatchBot added a subtask for T386217: 1.44.0-wmf.22 deployment blockers: Unknown Object (Task).
Mar 22 2025, 12:51 AM · Release-Engineering-Team (Doing 😎), MW-1.44-notes (1.44.0-wmf.22; 2025-03-25), Release, Train Deployments

Mar 10 2025

SecurityPatchBot raised the priority of T387691: CVE-2025-32069: Wikitext stored XSS on filepages due to dangerous WBMI serialization from High to Unbreak Now!.

Patch 01-T387691.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikibaseMediaInfo. This is blocking MediaWiki release 1.44.0-wmf.20(T386215)

Mar 10 2025, 12:50 AM · Structured-Data-Backlog (Current Work), SecTeam-Processed, SDC-Statements, Vuln-XSS, WikibaseMediaInfo, Security, Security-Team

Mar 9 2025

SecurityPatchBot raised the priority of T387691: CVE-2025-32069: Wikitext stored XSS on filepages due to dangerous WBMI serialization from High to Unbreak Now!.

Patch 01-T387691.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikibaseMediaInfo. This is blocking MediaWiki release 1.44.0-wmf.20(T386215)

Mar 9 2025, 12:51 AM · Structured-Data-Backlog (Current Work), SecTeam-Processed, SDC-Statements, Vuln-XSS, WikibaseMediaInfo, Security, Security-Team

Mar 8 2025

SecurityPatchBot added a subtask for T386215: 1.44.0-wmf.20 deployment blockers: T387691: CVE-2025-32069: Wikitext stored XSS on filepages due to dangerous WBMI serialization.
Mar 8 2025, 12:51 AM · Release-Engineering-Team (Doing 😎), Release, Train Deployments
SecurityPatchBot raised the priority of T387691: CVE-2025-32069: Wikitext stored XSS on filepages due to dangerous WBMI serialization from High to Unbreak Now!.

Patch 01-T387691.patch is currently failing to apply for the most recent code in the mainline branch of extensions/WikibaseMediaInfo. This is blocking MediaWiki release 1.44.0-wmf.20(T386215)

Mar 8 2025, 12:51 AM · Structured-Data-Backlog (Current Work), SecTeam-Processed, SDC-Statements, Vuln-XSS, WikibaseMediaInfo, Security, Security-Team

Nov 7 2024

bd808 updated SecurityPatchBot.
Nov 7 2024, 6:20 PM
SecurityPatchBot added a subtask for T375662: 1.44.0-wmf.3 deployment blockers: Unknown Object (Task).
Nov 7 2024, 1:15 AM · Release-Engineering-Team (Doing 😎), User-brennen, Release, Train Deployments

May 2 2024

SecurityPatchBot raised the priority of T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode from Medium to Unbreak Now!.

Patch 01-T338419.patch is currently failing to apply for the most recent code in the mainline branch of extensions/CheckUser. This is blocking MediaWiki release 1.43.0-wmf.4(T361398)

May 2 2024, 12:01 AM · Trust and Safety Product Sprint (Sprint Shekere (13th May - 24th May)), MW-1.42-notes, MW-1.43-notes (1.43.0-wmf.4; 2024-05-07), Patch-For-Review, Trust and Safety Product Team, SecTeam-Processed, CheckUser, Vuln-DoS, Security
SecurityPatchBot added a subtask for T361398: 1.43.0-wmf.4 deployment blockers: T338419: CVE-2024-40609: Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode.
May 2 2024, 12:00 AM · Release-Engineering-Team (Yakisfaction), Release, Train Deployments

Apr 9 2024

SecurityPatchBot raised the priority of T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL from Low to Unbreak Now!.

Patch 02-T361479.patch is currently failing to apply for the most recent code in the mainline branch of extensions/CheckUser. This is blocking MediaWiki release 1.42.0-wmf.26(T360158)

Apr 9 2024, 12:00 AM · Patch-For-Review, SecTeam-Processed, MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), security-bug, Vuln-Infoleak, Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team, CheckUser, Security
SecurityPatchBot added a subtask for T360158: 1.42.0-wmf.26 deployment blockers: T361479: CVE-2024-40607: Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL.
Apr 9 2024, 12:00 AM · Patch-For-Review, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Mar 8 2024

SecurityPatchBot raised the priority of T355538: CVE-2024-34507: XSS in edit summary parser from Medium to Unbreak Now!.

Patch 01-T355538.patch is currently failing to apply for the most recent code in the mainline branch of core. This is blocking MediaWiki release 1.42.0-wmf.22(T354440)

Mar 8 2024, 10:45 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), SecTeam-Processed, Patch-For-Review, Vuln-XSS, Security, Security-Team
SecurityPatchBot raised the priority of T355538: CVE-2024-34507: XSS in edit summary parser from Medium to Unbreak Now!.

Patch 01-T355538.patch is currently failing to apply for the most recent code in the mainline branch of core. This is blocking MediaWiki release 1.42.0-wmf.22(T354440)

Mar 8 2024, 9:50 AM · MW-1.42-notes (1.42.0-wmf.25; 2024-04-02), SecTeam-Processed, Patch-For-Review, Vuln-XSS, Security, Security-Team
SecurityPatchBot added a subtask for T354440: 1.42.0-wmf.22 deployment blockers: T355538: CVE-2024-34507: XSS in edit summary parser.
Mar 8 2024, 9:49 AM · Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments

Feb 6 2024

jnuche updated SecurityPatchBot.
Feb 6 2024, 4:01 PM
jnuche updated SecurityPatchBot.
Feb 6 2024, 3:53 PM
jnuche updated SecurityPatchBot.
Feb 6 2024, 3:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits