[Wikitech-l] BREAKING CHANGE: Action API action=logout will require a CSRF token

[Scott Bassett]

Hey everybody,

This was already posted to Mediawiki-api-announce, x-posting here for
increased visibility as this change should be in production this week.

With the merge of Icb674095,[1] use of API action=logout will require
a CSRF token. This was considered a security issue, so the usual
deprecation process was not followed. See T25227[2] for details.

Clients that do not use a CSRF token with action=logout will receive a
badtoken error message ***and will not be logged out***.

This change should be deployed to Wikimedia wikis with 1.34.0-wmf.3.
See https://www.mediawiki.org/wiki/MediaWiki_1.34/Roadmap for a
schedule.

Overall client impact is expected to be relatively low, as gathered
statistics indicate there are relatively few users of this API call.
None the less, maintainers should check their code for use of
action=logout and update as necessary to maintain expected operation.

[1]: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/504565
[2]: https://phabricator.wikimedia.orgdo not use /T25227

[3]: https://phabricator.wikimedia.org/T25227#4902709

-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions Security Release Supplement

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.4 / 1.32.4 / 1.33.1
[0], we would also like to provide this supplementary announcement of
wmf-deployed extensions [1] with now-public security patches and backports
[2]:

== MobileFrontend ==
* (T229541, CVE-2019-14807) - Javascript injection in edit summary on
mobile site.
<https://gerrit.wikimedia.org/r/q/I0cb918f8148d1782882e104d127f08cbfa23e542>

* (T230576, CVE-2019-15124) - XSS in edit summary for ex:MobileFrontend
Special:Watchlist
<https://gerrit.wikimedia.org/r/q/If4e91093c676de3391e6dde415c8c91c1f582998>

== CheckUser ==
* (T207094 [task to remain private], CVE-2019-16529) - Oversighted edit
summaries still visible in CheckUser results
<https://gerrit.wikimedia.org/r/q/I3d28bd9f14c1237a34afcd2e4479152f571e29a6>

== AbuseFilter ==
* (T224203 [task to remain private], CVE-2019-16528) - Oversighting the
user who performed an edit doesn't hide it from the abuse filter log
<https://gerrit.wikimedia.org/r/q/If3d3256404d0f3dbde171831937d1a816b3e2734>

The Wikimedia Security Team recommends updating these extensions to the
current master branch or supported release branches [3] as soon as
possible. As you may have noticed, some of the referenced Phabricator tasks
above are still private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns,
please feel free to contact secur...@wikimedia.org or file a security task
within Phabricator.

[0]
https://lists.wikimedia.org/pipermail/wikitech-l/2019-October/092656.html
[1] https://w.wiki/9hi
[2] https://phabricator.wikimedia.org/T232113
[3] https://www.mediawiki.org/wiki/Version_lifecycle

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.6/1.32.6/1.33.2
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:

== CheckUser ==
+ (T234862, CVE-2019-18611) - Do not show oversighted edit summaries in
CheckUser API
<https://gerrit.wikimedia.org/r/q/Ie0aa0df2b3f03d8b910733f1b5e600a0dc978765>

== AbuseFilter ==
+ (T104807, CVE-2019-18612) - Older hidden versions of a currently-public
AbuseFilter are exposed via diffs
<https://gerrit.wikimedia.org/r/q/Ie23e8234ae550273bf3f6f9c5ac45b7fc54eec2a>

+ (T237887, CVE-2019-18987) - Old public versions of private filters are
publicly viewable
<https://gerrit.wikimedia.org/r/q/Ic12790bd33982473f77551bde9599ed083a3e1f1>

== VisualEditor ==
+ (T239209, CVE-2019-19708) - XSS in Visual Editor via Copy&Paste
<https://gerrit.wikimedia.org/r/q/I1f99458fd2c4f6b2460dfe7a93b330ddee4400b6>

== MinervaNeue skin ==
+ (T240487, CVE requested) - XSS in MinervaNeue skin
<https://gerrit.wikimedia.org/r/q/Ida471291f1698387a26736931ab17e6899e05b51>

== LDAPAuthentication2 ==
+ (T240338, No CVE requested) - LDAPAuthentication2 allows login with
invalid password
<https://gerrit.wikimedia.org/r/q/I7b125ab468ebc914b8a1c67ed0c03e3c2a20c6cd>

The Wikimedia Security Team recommends updating these extensions and skins
to the current master branch or relevant, supported release branch [2] as
soon as possible. Some of the referenced Phabricator tasks above _may_
still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/pipermail/wikitech-l/2019-December/092886.html
[1] https://phabricator.wikimedia.org/T234983
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1
[0],
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and
backports [1]:

== MobileFrontend ==
+ (T240502, No CVE) - List known raw html messages
<https://gerrit.wikimedia.org/r/q/I301aee4093fe2b0e8f6dfe546bb80af1de2>

== WikibaseMediaInfo ==
+ (T240773, CVE-2020-6163) - Escape labels in HTML output
<https://gerrit.wikimedia.org/r/q/If47903f11645e52d56a875be4c03de47400cef0>

== Widgets ==
+ (T245850, CVE-2020-9382) - Title::newFromText() is not safe for user input
<https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8>

== GlobalBlocking ==
+ (T229731, CVE-2020-10534) - Apply most specific global block
<https://gerrit.wikimedia.org/r/q/I9cc5fb2c08c78bbd797a5fc6d89f4577c8cc118>

The Wikimedia Security Team recommends updating these extensions and/or
skins
to the current master branch or relevant, supported release branch [2] as
soon
as possible. Some of the referenced Phabricator tasks above _may_ still be
private. Unfortunately, when security issues are reported, sometimes
sensitive information is exposed and since Phabricator is historical, we
cannot
make these tasks public without exposing this sensitive information. If you
have any additional questions or concerns regarding this update, please
feel
free to contact secur...@wikimedia.org or file a security task within
Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html
[1] https://phabricator.wikimedia.org/T240400
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.8/1.33.4/1.34.2)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.8/1.33.4/1.34.2
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:

== CentralAuth ==
+ (T250594, CVE-2020-12051) - globaluserinfo api allows access to
information about hidden users
<
https://gerrit.wikimedia.org/r/#/q/I3c80641dc1202df7428714f0ca44717a51ff6021
>

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-June/000252.html
[1] https://phabricator.wikimedia.org/T248542
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.9/1.34.3/1.35.0)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.9/1.34.3/1.35.0
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:

== MobileFrontend ==
+ (T238075) - Alert group Cookie(s) without HttpOnly flag are set due to
default configuration
< https://gerrit.wikimedia.org/r/q/I8e84f1cbc8878974532b511cebd9de40c5de55c6
>

== MobileFrontend ==
+ (T262213, CVE-2020-26120) - XSS on Pages viewed within MobileFrontend
extension
< https://gerrit.wikimedia.org/r/q/I42e079bc875d17b336ab015f3678eaedc26e10ea
>

== CentralAuth ==
+ (T260485, CVE-2020-25869) - CentralAuth uses wrong actor ID when locally
suppressing the user
< https://gerrit.wikimedia.org/r/q/Iaa886a1824e5a74f4501ca7e28917c780222aac0
>
< https://gerrit.wikimedia.org/r/q/I2336954c665366a99f9995df9b08071d4de6db79
>

== FileImporter ==
+ (T262628, CVE-2020-26121) - FileImporter imports the file even when the
target page is protected on Commons
< https://gerrit.wikimedia.org/r/q/Ib852a96afc4dca10516d0510e69c10f9892b351b
>

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
[1] https://phabricator.wikimedia.org/T256342
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Workflow for updating javascript tools on wiki?

[Scott Bassett]

Hello Roy-

I don't believe there is any release or deployment process for userJS on
the projects, certainly nothing formal or standardized.  In some way,
Gadgets 2.0/3.0 was designed with these issues in mind, but that project is
currently stalled, as far as I know.  What you're doing is likely what I
and other WMF folks would recommend (version control, tests if feasible,
careful deployment with an announcement to users if you have some channel
of communication, etc).  If you'd ever like a quick security review of the
code or possibly some aggregated data on its usage, feel free to create a
task in Phabricator.


On Mon, Oct 26, 2020 at 11:27 AM Roy Smith  wrote:

> I maintain spi-tools.js
> <https://en.wikipedia.org/wiki/User:RoySmith/spi-tools.js>.  The source
> is in github.  At the moment, my "release process" (if you could call it
> that) is to edit
> User:RoySmith/spi-tools.js and copy-paste the new version.  This works,
> but it's clunky.  Is there some pre-existing tool for this?
>
> I could build some little tool to to do this, but if something already
> exists, no need to reinvent the wheel.
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>


-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.11/1.35.1)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.11/1.35.1 [0], we
would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

 == Cosmos Skin ==
 + (T265440, CVE-2020-27620) - Mix used of wfMessage() calls with no output
mode and Html::rawElement
 <
https://gerrit.wikimedia.org/r/q/I738471981be4b394caf65de615e8ee4ab36a9782 >

 == FileImporter ==
 + (T265810, CVE-2020-27621) - uses a WMF IP address, does not include XFF
for users using this extension
 <
https://gerrit.wikimedia.org/r/q/I24a240253c7a5c66dd493a68e8c23d95a17e1b21 >

 == RandomGameUnit ==
 + (T266400, CVE-2020-27957) - Stored XSS
 <
https://gerrit.wikimedia.org/r/q/I497d2076038f75c9eb77e0e250f2af56f5bd2bfc >

 == PollNY ==
 + (T266508, CVE-2020-29003) - Stored XSS
 <
https://gerrit.wikimedia.org/r/q/Ic5b8f579c303e9666a0b7d815230e4ce08557027 >

 = CologneBlue ==
 + (T267278, CVE-2020-29002) - XSS vulnerability
 <
https://gerrit.wikimedia.org/r/q/Ie798a4f16d0ac2a4871aefeb593d962966aeb6b0 >

 == Push ==
 + (T262724, CVE-2020-29004, CVE-2020-29005) - Push extension exposes login
credentials
 <
https://gerrit.wikimedia.org/r/q/I15d76536a6cf256417d7e28838e4cdb66245adf5 >

 == PushToWatch ==
 + (T268641, CVE-2020-35626) - classic CSRF
 <
https://gerrit.wikimedia.org/r/q/I3f41d8087af2ae22581836f7c32baac97f348044 >

 == SecurePoll ==
 + (T268794, CVE-2020-35624) - SecurePoll should not show the exact time of
cast votes publicly
 <
https://gerrit.wikimedia.org/r/q/If8e15eb8ce9ec652c06816cbff52bb084fd50e73 >

 == GlobalUsage ==
 + (T268341, CVE-2020-35622) - XSS in SpecialGlobalUsage
 <
https://gerrit.wikimedia.org/r/q/I3d4689529c976cff14c9ab218eab67d0c7b9cad6 >

 == Widgets ==
 + (T269718, CVE-2020-35625) - RCE in Widgets extension
 <
https://gerrit.wikimedia.org/r/q/Ic899a8b15bc510e61cdacb5c024af2d226a2dbeb >

 == CASAuth ==
 + (T263498, CVE-2020-35623) - Logins to MW with at least one SSO client
extension allows masquerading as another user
 < https://github.com/CWRUChielLab/CASAuth/pull/10 >

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html
[1] https://phabricator.wikimedia.org/T263810
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.13/1.35.2)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.13/1.35.2 [0], we
would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

== CommentBox ==
+ (T270767, CVE-2021-31550) - Wg variables aren't validated by CommentBox -
possible raw html insertion risk
<https://gerrit.wikimedia.org/r/651934>

== AbuseFilter ==
+ (T272333, CVE-2021-31548) - Disallow the edit if blocking the user didn't
succeed
<https://gerrit.wikimedia.org/r/657092>

== WikiLove ==
+ (T270142, CVE-2021-31557) - mw.config.get( 'wikilove-anon' ) leaks the
existence of hidden users
<https://gerrit.wikimedia.org/r/q/Ibcd87abe01719222beadcfc0de13038c3021adef>

== PageForms ==
+ (T259433, CVE-2021-31551) - XSS issue in Extension:PageForms
<https://gerrit.wikimedia.org/r/q/I5e0abbc2f80e6bda255b3b32a4df39a7fe7d3793>
<https://gerrit.wikimedia.org/r/q/Ibe68b070ee791cd0c8e7f50eb04ac4e066b1512c>
<https://gerrit.wikimedia.org/r/q/I20b63bd38779d2ccbe2d86f9879df85ca3b685f6>

== AbuseFilter ==
+ (T71617, CVE-2021-31546) - AbuseFilter logs suppression deletions
<https://gerrit.wikimedia.org/r/q/I38a0a24fa32ca7a052b6940864a32b3856e84553>

== AbuseFilter ==
+ (T223654, CVE-2021-31547) - AbuseFilterCheckMatch API reveals suppressed
edits and usernames
<https://gerrit.wikimedia.org/r/q/I4900b1be73323599d74e3164447f81eded094d75>
<https://gerrit.wikimedia.org/r/q/I3f7dbd8b873d411e37c8c3aac2339bf5ec36907d>

== AbuseFilter ==
+ (T71367, CVE-2021-31545) - page_recent_contributors leaks revdeleted user
names
<https://gerrit.wikimedia.org/r/q/I8d5ed9ca84282ee50832035af86123633fc88293>

== AbuseFilter ==
+ (T274152, CVE-2021-31549) - Special:AbuseFilter/examine reveals
suppressed usernames
<https://gerrit.wikimedia.org/r/q/I6063c02fa261c4cc0e6dbbb2db4e111eb85912c2>
<https://gerrit.wikimedia.org/r/q/I71a6d521bd12931ce60eec4d2dc35af19146000f>

== CheckUser ==
+ (T275669, CVE-2021-31553) - Checkuser stores users to cu_log with
trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will
<https://gerrit.wikimedia.org/r/666963>
<https://gerrit.wikimedia.org/r/666964>

== AbuseFilter ==
+ (T152394, CVE-2021-31552) - AbuseFilter privacy concerns on action ==
'createaccount' and 'accountname'
<https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1>

== AbuseFilter ==
+ (T272244, CVE-2021-31554) - AbuseFilter blocks not working for account
autocreations
<https://gerrit.wikimedia.org/r/q/Ie1f4333d5b1c9d17fb2236fe38a31de427a4cc48>

== OAuth ==
+ (T277380, CVE-2021-31556) - OAuth doesn't validate length of oarc_rsa_key
<https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9>

== OAuth ==
+ (T277388, CVE-2021-31555) - OAuth doesn't validate length of oarc_version
<https://gerrit.wikimedia.org/r/q/I222c053b4b14ac1ad0f5b3a51565b1b9cd4c139d>

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.html
[1] https://phabricator.wikimedia.org/T270466
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Re: Why does the train start on Tuesday?

[Scott Bassett]

On Tue, Jun 22, 2021 at 3:03 PM Jon Robson  wrote:

> A few questions to provoke discussion/share knowledge better:
> * Why does the train run Tue,Wed, Thur rather than Mon,Tue,Wed
>

I'd note here that the standard security deployment window is Monday
between 21:00 and 23:00 UTC.  That date and time is not a hard requirement
by any means, but having such a window exist early in the week, prior to
the start of the train, has worked out well for a few reasons.  It's both
convenient and less risky to only  deploy security patches to a single wmf
production branch, which is the case most Mondays.  It's also less risky
having the space to monitor patches and roll them back or re-patch during
the week, as opposed to say, on a Friday, with substantially reduced
coverage going into most weekends.  Of course there are times when critical
security issues need to be dealt with on a Friday or even over the weekend,
but in general, the Security Team likes to avoid this.  Moving the train to
a Mon, Tue, Wed cadence would imply the security window be moved to the
previous Friday or possibly Thursday, which is doable, but not desired for
the aforementioned reasons.

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.15/1.35.3/1.36.1)

[Scott Bassett]

Greetings-

With the security/maintenance release of MediaWiki 1.31.15/1.35.3/1.36.1
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:

 == SocialProfile ==
+ (T281043, CVE-2021-36130) - Stored XSS in various SystemGifts-related
special pages
<https://gerrit.wikimedia.org/r/q/Id915eba45497a1a0dc1c4e00818a2fd4c0ce55d3>

 == SportsTeams ==
+ (T281196, CVE-2021-36131) - Stored XSS in SportsTeams'
Special:SportsTeamsManager & Special:UpdateFavoriteTeams
<https://gerrit.wikimedia.org/r/691913>

 == FileImporter ==
+ (T280590, CVE-2021-36132) - Special:ImportFile does not check permissions
from own config FileImporterRequiredRight
<https://gerrit.wikimedia.org/r/q/I8ff2a67abd2c118a3469e4410eac2a451bfa76c3>

 == ManageWiki ==
+ (T281417, CVE-2021-29483) - 'wikiconfig' API leaked private config
variables
<
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g8vv
>

 == CentralAuth ==
+ (T260865, CVE-2021-36125) - Very long usernames can cause an infinite
loop when loading Special:GlobalRenameRequest
<https://gerrit.wikimedia.org/r/q/I97d8b3236b5abed8ba9a9c4d3ab5050c2e782c22>
+ (T281972, CVE-2021-36128) - Disable autoblocks for CentralAuth-issued
suppression blocks
<https://gerrit.wikimedia.org/r/q/I15d14c88a1e30df92c470bc191c4ee573172d4d1>
+ (T285190, CVE-2021-36127) - Special:GlobalUserRights reveals existence of
globally suppressed users
<https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec>

 == Translate ==
+ (T282932, CVE-2021-36129) - Aggregategroups Action API module allows
deleting translatable page metadata for any group without trace
<https://gerrit.wikimedia.org/r/q/I3619a7e88c2eb979babb7b027d4fdbfabc0af792>

 == AbuseFilter ==
+ (T284364, CVE-2021-36126) - Bad english MediaWiki:Abusefilter-blocker
breaks filters
<https://gerrit.wikimedia.org/r/q/I9e9f44b7663e810de70fb9ac7f6760f83dd4895b>

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact secur...@wikimedia.org
or file a security task within Phabricator [3].

[0]
https://lists.wikimedia.org/hyperkitty/list/mediawiki-annou...@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/
[1] https://phabricator.wikimedia.org/T279733
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

-- 
Scott Bassett
sbass...@wikimedia.org
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/