[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T133070

MediaWiki 1.27.1 security release
Closed, ResolvedPublic
Actions

Assigned To
demon
Authored By
csteipp
Apr 19 2016, 5:17 PM
Tags
Referenced Files
F4345953: T130384.patch
Aug 8 2016, 9:59 PM
F4274481: 0001-SECURITY-Move-UserGetRights-call-before-application-.patch
Aug 1 2016, 5:41 PM
F4326047: T128624-part2-REL1_27
Aug 1 2016, 12:17 PM
F4326029: T132926-REL1_23.patch
Aug 1 2016, 12:14 PM
F4326026: T128624-REL1_27.patch
Aug 1 2016, 12:14 PM
F4326031: T132926-REL1_26.patch
Aug 1 2016, 12:14 PM
F4326039: T132926-master.patch
Aug 1 2016, 12:14 PM
F3657112: SECURITY: Check for valid but unusable user names.patch
Jul 18 2016, 11:02 PM
View All 55 Files
Subscribers
Aklapper
Bawolff
csteipp
demon
dpatrick
Ejegg
Jdforrester-WMF
Legoktm

Description

This will probably happen several weeks after 1.27 is released.

MW Versions: 1.27.1/1.26.4/1.23.15. Note, 1.25 is already EOL.

Core

Maniphest IDCVE IDREL1_23REL1_26REL1_27REL1_28/master
T115333CVE-2016-6331
T115333-REL1_23.patch1 KBDownload
T115333-REL1_26.patch1 KBDownload
T115333-REL1_27.patch1 KBDownload
T115333-master.patch1 KBDownload
T129738CVE-2016-6332
T129738-part1-REL1_231 KBDownload
,
T129738-part2-REL1_23.patch3 KBDownload
T129738-part1-REL1_26.patch1 KBDownload
,
T129738-part2-REL1_26.patch4 KBDownload
T129738-part1-REL1_27.patch1 KBDownload
,
T129738-part2-REL1_27.patch4 KBDownload
Make Blocks log out user in question if $wgBlockDisablesLogin is set1 KBDownload
,
[v3] Make wgBlockDisablesLogin restrict logged in users rights to anon4 KBDownload
T133147CVE-2016-6333
T133147-part1-REL1_23.patch1 KBDownload
,
T133147-part2-REL1_23.patch1 KBDownload
T133147-part1-REL1_26.patch1 KBDownload
,
T133147-part2-REL1_26.patch1 KBDownload
T133147-part1-REL1_27.patch1 KBDownload
,
T133147-part2-REL1_27.patch1 KBDownload
T133147-part1-master.patch1 KBDownload
,
T133147-part2-master1 KBDownload
T137264CVE-2016-6334
T137264-REL1_23.patch1 KBDownload
T137264-REL1_26.patch1 KBDownload
T137264-REL1_27.patch1 KBDownload
0001-SECURITY-XSS-in-unclosed-internal-links.patch1 KBDownload
T139570CVE-2016-6335
T139565-REL1_23.patch2 KBDownload
T139565-REL1_26.patch2 KBDownload
T139565-REL1_27.patch1 KBDownload
Already present
T132926CVE-2016-6336
T132926-REL1_23.patch1 KBDownload
T132926-REL1_26.patch1 KBDownload
T132926-REL1_26.patch1 KBDownload
T132926-master.patch1 KBDownload
T139670CVE-2016-6337n/a (no SessionManager)n/a (no SessionManager)
0001-SECURITY-Move-UserGetRights-call-before-application-.patch3 KBDownload
0001-SECURITY-Move-UserGetRights-call-before-application-.patch3 KBDownload

Extensions

REL1_23REL1_26REL1_27REL1_28/master
T136402 [pdfHandler]
T136402-REL1_23.patch878 BDownload
0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload
0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload
0001-Add-dSAFER-to-ghostscript-as-a-hardening-measure.patch868 BDownload
[master patch applies cleanly to everything except 1.23]

Details

SubjectRepoBranchLines +/-
Gerrit: Make IPv6 optionaloperations/puppetproduction+7 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
demon subscribed.Jun 29 2016, 4:42 PM

Removed REL1_25 column as it hit EOL already.

MaxSem renamed this task from MediaWiki 1.26.4 security release to MediaWiki 1.27.1 security release.Jun 29 2016, 5:03 PM
demon added a comment.Jun 29 2016, 5:57 PM

The two Flow patches do not block this release, they are not bundled. They should be pushed to all supported branches and announced (mediawiki-announce, I can help with this)

dpatrick updated the task description. (Show Details)Jul 7 2016, 8:21 PM
dpatrick added a subtask: T139570: API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP.
Bawolff added a subtask: T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException.Jul 7 2016, 8:53 PM
Bawolff added a subtask: T132926: Admins can get around oversight (suppression) of file revisions.Jul 7 2016, 9:22 PM
Legoktm updated the task description. (Show Details)Jul 7 2016, 10:48 PM
Jdforrester-WMF subscribed.Jul 7 2016, 11:41 PM
dpatrick updated the task description. (Show Details)Jul 8 2016, 10:31 PM
dpatrick added a subtask: T128695: Block::updateTimestamp() updates expiry of all blocks for the IP.
Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jul 10 2016, 5:45 PM
Bawolff added a subtask: T128624: Moving a page over redirect loses the protection settings for that page.Jul 10 2016, 5:48 PM
Bawolff added a subtask: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).Jul 10 2016, 6:06 PM
Bawolff closed subtask T139570: API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP as Resolved.Jul 18 2016, 7:50 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:32 AM
Bawolff removed a subtask: Restricted Task.Jul 18 2016, 8:36 AM
Bawolff removed a subtask: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:43 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 8:45 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:28 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:37 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:41 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:45 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 9:54 AM
Bawolff updated the task description. (Show Details)Jul 18 2016, 10:11 AM
dpatrick added a subtask: T130384: CentralAuth doesn't check if given valid but unusable name.Jul 18 2016, 7:24 PM
Bawolff closed subtask T136402: PdfHandler extension doesn't use -dSAFER option of ghostscript as Resolved.Jul 18 2016, 10:22 PM
Bawolff closed subtask T115333: API action=parse does not check-per title read permissions as Resolved.Jul 18 2016, 10:24 PM
dpatrick closed subtask T132926: Admins can get around oversight (suppression) of file revisions as Resolved.Jul 18 2016, 10:37 PM
Bawolff updated the task description. (Show Details)Jul 18 2016, 10:37 PM
dpatrick closed subtask T133147: XSS via CSS user subpage preview feature as Resolved.Jul 18 2016, 10:44 PM
dpatrick closed subtask T137593: Topics that are deleted then suppressed expose topic title in public deletion log as Resolved.Jul 18 2016, 10:49 PM
dpatrick closed subtask T137288: Applying deletelogentry restrictions to flow deletion log entries does not work as Resolved.
Bawolff closed subtask T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out as Resolved.Jul 18 2016, 11:02 PM
dpatrick updated the task description. (Show Details)Jul 18 2016, 11:02 PM
demon added a comment.Jul 19 2016, 4:50 PM

Flow, as an un-bundled extension, can be removed from this tracker. They should be fixed in all supported branches and announced widely. That's all we need for that.

dpatrick updated the task description. (Show Details)Jul 20 2016, 7:28 PM
Anomie closed subtask T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException as Resolved.Jul 25 2016, 1:53 PM
Bawolff updated the task description. (Show Details)Aug 1 2016, 12:14 PM
Bawolff updated the task description. (Show Details)Aug 1 2016, 12:17 PM
dpatrick updated the task description. (Show Details)Aug 1 2016, 5:41 PM
dpatrick updated the task description. (Show Details)Aug 1 2016, 9:08 PM
demon mentioned this in rOPUP4cdf19929cc7: Gerrit: Make IPv6 optional.Aug 1 2016, 10:15 PM
Dzahn mentioned this in rOPUP4a2af53fa670: Gerrit: Make IPv6 optional.Aug 1 2016, 10:32 PM
Dzahn mentioned this in rOPUP9c04e8d7f183: Gerrit: Make IPv6 optional.
demon updated the task description. (Show Details)Aug 2 2016, 6:21 PM
demon added a comment.Aug 2 2016, 6:32 PM

T130384 is not a core change and not a bundled extension (it's CentralAuth). Let's remove it from the list, push to branches, and announce.

demon added a comment.Aug 2 2016, 6:40 PM

T133147-part2-REL1_23.patch1 KBDownload
doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

Bawolff added a comment.Aug 2 2016, 6:46 PM
In T133070#2516274, @demon wrote:

T133147-part2-REL1_23.patch1 KBDownload
doesn't apply cleanly to REL1_23. Otherwise that branch checks out ok.

I think that patch was based on top of the patch for T57548-REL1_23.patch (The two patches conflicted with each other)

Bawolff updated the task description. (Show Details)Aug 2 2016, 8:50 PM
Legoktm subscribed.Aug 7 2016, 8:47 PM

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

dpatrick closed subtask T130384: CentralAuth doesn't check if given valid but unusable name as Resolved.Aug 8 2016, 9:58 PM
dpatrick updated the task description. (Show Details)
dpatrick updated the task description. (Show Details)
dpatrick subscribed.Aug 8 2016, 10:06 PM
In T133070#2531673, @Legoktm wrote:

I haven't checked the patches linked here, but can we make sure the commit message starts with "SECURITY"? We've been a bit inconsistent with that lately, and it makes them much easier to spot (noticed when rebasing before deploying on tin)

Thanks for noticing that, @Legoktm. We'll be vigilant about that in the future.

dpatrick updated the task description. (Show Details)Aug 10 2016, 12:50 AM
demon added a comment.Aug 10 2016, 8:13 PM

Patch for T137264 does not apply to master.

demon updated the task description. (Show Details)Aug 10 2016, 8:20 PM
dpatrick added a subscriber: Ejegg.Aug 10 2016, 8:32 PM
dpatrick updated the task description. (Show Details)Aug 10 2016, 8:45 PM
dpatrick updated the task description. (Show Details)Aug 10 2016, 8:51 PM
demon updated the task description. (Show Details)Aug 10 2016, 8:52 PM
demon updated the task description. (Show Details)Aug 10 2016, 9:10 PM
demon edited subtasks, added: T139670: Central auth global groups don't take session rights limit into account; removed: T130384: CentralAuth doesn't check if given valid but unusable name, T128624: Moving a page over redirect loses the protection settings for that page, T128695: Block::updateTimestamp() updates expiry of all blocks for the IP, T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException, T137593: Topics that are deleted then suppressed expose topic title in public deletion log, T137288: Applying deletelogentry restrictions to flow deletion log entries does not work.Aug 10 2016, 9:14 PM
demon updated the task description. (Show Details)Aug 10 2016, 10:14 PM
demon updated the task description. (Show Details)
demon added a comment.Aug 11 2016, 12:12 AM

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Bawolff added a comment.Aug 11 2016, 12:34 AM
In T133070#2542533, @demon wrote:

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

demon added a comment.Aug 11 2016, 12:57 AM
In T133070#2542613, @Bawolff wrote:
In T133070#2542533, @demon wrote:

@Bawolff Any opposition to applying the $wgWellFormedXml patch (T57548) directly to REL1_23 and REL1_26 directly and like now? It's already public and on the other branches and it makes the release a tad easier :)

Im fine with that, however im away for the rest of the week, so i cannot be the one to do it.

Oh I can do it myself I just wanted a second opinion :)

Ejegg added a comment.Aug 11 2016, 3:01 AM

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

demon added a comment.Aug 11 2016, 3:07 AM
In T133070#2542737, @Ejegg wrote:

T132926-REL1_26.patch, listed in the 1.27.1 column, doesn't apply to REL1_27 (as suggested by the name). T132926-master.patch does work on REL1_27 though.

Yeah, I had to do a manual rebase locally to sort out the conflicts. It's trivial though.

demon updated the task description. (Show Details)Aug 19 2016, 3:10 PM

Removed T57548 since it's already backported to 1.23/1.26 as well.

demon updated the task description. (Show Details)Aug 19 2016, 9:02 PM
demon closed subtask T57548: Html::expandAttributes can be tricked into omitting necessary quotes as Resolved.Aug 22 2016, 8:50 PM
dpatrick updated the task description. (Show Details)Aug 23 2016, 12:40 AM
demon closed this task as Resolved.Aug 23 2016, 1:24 AM
demon claimed this task.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed Security from Software security bug to None.
demon updated the task description. (Show Details)
dpatrick mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Aug 24 2016, 6:05 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:35 PM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:35 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits