[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T181665

Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
Bawolff
Nov 29 2017, 6:58 PM
Tags
Referenced Files
F25627840: REL1_30.tar
Sep 3 2018, 8:35 AM
F25627841: REL1_29.tar
Sep 3 2018, 8:35 AM
F25627839: master.tar
Sep 3 2018, 8:35 AM
F25627843: REL1_27.tar
Sep 3 2018, 8:35 AM
F25627842: REL1_31.tar
Sep 3 2018, 8:35 AM
F23421797: 01-T169545-REL1_30.patch
Jul 7 2018, 5:56 PM
F23421770: 01-T169545-REL1_27.patch
Jul 7 2018, 5:56 PM
F23421769: 01-T169545-REL1_29.patch
Jul 7 2018, 5:56 PM
View All 10 Files
Subscribers
Aklapper
Bawolff
CCicalese_WMF
greg
Jdforrester-WMF
Legoktm
Reedy

Description

Previous work T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases

Tracking bug for next security release

This will be the final 1.29 release.

Maniphest IDCVE IDREL1_27REL1_29REL1_30REL1_31master
T169545CVE-2018-0503
01-T169545-REL1_27.patch1 KBDownload
01-T169545-REL1_29.patch1 KBDownload
01-T169545-REL1_30.patch1 KBDownload
01-T169545-REL1_31.patch1 KBDownload
01-T169545-master.patch1 KBDownload
T187638CVE-2018-0504mergedmergedmergedmergedmerged
T194605CVE-2018-0505
T194237n/a (hardening)mergedmergedmergedmergedmerged
T199029CVE-2018-13258n/an/an/a

Related Objects
Search...

Event Timeline

Bawolff created this task.Nov 29 2017, 6:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2017, 6:58 PM
Bawolff added a project: Security-Team.Nov 29 2017, 6:59 PM
Bawolff added a subtask: T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503).
Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Nov 29 2017, 7:05 PM
Bawolff added a subtask: Restricted Task.Jan 8 2018, 6:51 PM
Bawolff added a subtask: T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504).Mar 28 2018, 6:59 AM
Aklapper renamed this task from Tracking bug for 1.27.5/1.29.2/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1 security release.Mar 28 2018, 7:34 AM
greg subscribed.Mar 29 2018, 9:33 PM

As I said in email: Let's shoot for this to happen before REL1_31 is branched (April 17th) to make things clean for everyone.

demon added a subscriber: CCicalese_WMF.Apr 13 2018, 4:20 PM
demon added a project: MW-1.31-release.Apr 13 2018, 4:23 PM
Krinkle added a project: MW-1.30-release.Apr 18 2018, 5:57 PM
Krinkle added projects: MW-1.27-release, MW-1.29-release.
Reedy added a subtask: T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505).Jun 4 2018, 4:20 PM
Bawolff added a subtask: T194237: bot passwords should call checkLoginSecurityLevel.Jun 10 2018, 6:15 PM
greg added a subscriber: Reedy.Jun 12 2018, 4:18 AM

@Bawolff @Reedy is this going to happen soon? 1.31 is really close to being ready.

Reedy renamed this task from Tracking bug for 1.27.5/1.29.3/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 10:41 AM
Reedy updated the task description. (Show Details)
Reedy added a parent task: T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Jul 7 2018, 4:49 PM
Reedy updated the task description. (Show Details)Jul 7 2018, 5:22 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy closed subtask T194237: bot passwords should call checkLoginSecurityLevel as Resolved.Jul 7 2018, 5:26 PM
Reedy updated the task description. (Show Details)
Reedy closed subtask T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504) as Resolved.Jul 7 2018, 5:29 PM
Reedy updated the task description. (Show Details)
Reedy closed subtask T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503) as Resolved.Jul 7 2018, 5:55 PM
Reedy updated the task description. (Show Details)
Bawolff added a subtask: Restricted Task.Jul 9 2018, 11:07 PM
Jdforrester-WMF subscribed.Jul 11 2018, 11:34 PM
Legoktm removed a subtask: Restricted Task.Aug 29 2018, 12:57 AM
Legoktm removed a subtask: Restricted Task.Aug 29 2018, 1:14 AM
Legoktm updated the task description. (Show Details)
Legoktm added a subtask: T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Aug 29 2018, 1:23 AM
Legoktm updated the task description. (Show Details)
Legoktm updated the task description. (Show Details)Aug 29 2018, 1:49 AM
Legoktm closed subtask T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505) as Resolved.Aug 29 2018, 7:20 AM
Legoktm updated the task description. (Show Details)Aug 29 2018, 6:12 PM
Legoktm subscribed.Sep 3 2018, 8:35 AM

I didn't want to upload 20 individual files to Phabricator...here's tars of the 3 backported security patches for each branch, and then release branches have one more patch bumping $wgVersion and adding release notes.

master.tar10 KBDownload

REL1_30.tar20 KBDownload

REL1_29.tar20 KBDownload

REL1_31.tar20 KBDownload

REL1_27.tar20 KBDownload

Bawolff moved this task from Incoming to Epics in progress on the Security-Team board.Sep 4 2018, 4:19 PM
Reedy mentioned this in T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Sep 15 2018, 2:44 AM
Reedy closed subtask T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258) as Resolved.Sep 20 2018, 8:20 PM
Reedy closed this task as Resolved.Sep 20 2018, 9:32 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Sep 20 2018, 9:55 PM
sbassett moved this task from Epics in progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:10 PM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits