Greetings- With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser + (T361293 <https://phabricator.wikimedia.org/T361293>, CVE-2024-40606) - Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2 CheckUser + (T361295 <https://phabricator.wikimedia.org/T361295>, CVE-2024-40610) - CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9 CheckUser + (T361296 <https://phabricator.wikimedia.org/T361296>, CVE-2024-40608) - Special:Investigate exposes suppressed usernames to those who do not have the rights to see them https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241 CheckUser + (T361479 <https://phabricator.wikimedia.org/T361479>, CVE-2024-40607) - Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232 CheckUser + (T326867 <https://phabricator.wikimedia.org/T326867>, CVE-2024-40598) - CheckUser API can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294 CheckUser + (T326865 <https://phabricator.wikimedia.org/T326865>, CVE-2024-40597) - Special:CheckUser can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782 CheckUser + (T338419 <https://phabricator.wikimedia.org/T338419>, CVE-2024-40609) - Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22 CheckUser + (T268147 <https://phabricator.wikimedia.org/T268147>, CVE-2024-40611) - Special:CheckUser shows deleted edits to non-admins CheckUser + (T326866 <https://phabricator.wikimedia.org/T326866>, CVE-2024-40596) - Special:Investigate can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100 GuMaxDD + (T361448 <https://phabricator.wikimedia.org/T361448>, CVE-2024-40599) - GuMaxDD skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a Nimbus + (T361450 <https://phabricator.wikimedia.org/T361450>, CVE-2024-40604) - Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad Tempo + (T361451 <https://phabricator.wikimedia.org/T361451>, CVE-2024-40602) - Tempo skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a Foreground + (T361452 <https://phabricator.wikimedia.org/T361452>, CVE-2024-40605) - Foreground skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344 BlueLL + (T361453 <https://phabricator.wikimedia.org/T361453>, CVE-2024-40612) - BlueLL skin: stored XSS via MediaWiki:Sidebar https://github.com/lingua-libre/BlueLL/pull/18 Metrolook + (T361449 <https://phabricator.wikimedia.org/T361449>, CVE-2024-40600) - Metrolook skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e MediaWikiChat + (T362588 <https://phabricator.wikimedia.org/T362588>, CVE-2024-40601) - Classic CSRF in MediaWikiChat's API modules https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/1023496 ArticleRatings + (T363884 <https://phabricator.wikimedia.org/T363884>, CVE-2024-40603) - Special:ChangeRating is vulnerable to CSRF https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7 Gadgets + (T363773 <https://phabricator.wikimedia.org/T363773>, CVE-2024-40613) - Evil regex used to process gadget definitions https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact secur...@wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T361321 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs _______________________________________________ MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org To unsubscribe send an email to mediawiki-announce-le...@lists.wikimedia.org
