Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.11/1.38.7/1.39.4/1.40.0)

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.11/1.38.7/1.39.4/1.40.0)


Chronologisch Thread  
  • From: Maryum Styles <mstyles AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org
  • Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.11/1.38.7/1.39.4/1.40.0)
  • Date: Fri, 30 Jun 2023 11:17:39 -0700
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/4GNSSE2VECVOPWE2NUKWD4C5IOSSF73R/>
  • Authentication-results: mail.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=JkxMfr9z; spf=pass (mail.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:1:208:80:154:21 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org; dmarc=pass (policy=none) header.from=wikimedia.org
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

Greetings-

With the security/maintenance release of MediaWiki
1.35.11/1.38.7/1.39.4/1.40.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T333569, CVE-2023-37255) - Special:CheckUser 'get edits' is vulnerable
to HTML injection through user agent string.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/905706/

GoogleAnalyticsMetrics
+ (T333980, CVE-2023-37251) - GoogleAnalyticsMetrics parser function in
extension does not properly escape js in onclick handler and does not
prevent using javascript urls.
https://gerrit.wikimedia.org/r/c/905661

CheckUser
+ (T330968, CVE-2023-37252) - Special:CheckUserLog shows usernames which
have been hidden.
https://gerrit.wikimedia.org/r/c/933686
https://gerrit.wikimedia.org/r/c/932822

Cargo
+ (T331311, CVE-2023-37256) - Cargo allows storing javascript URLs in URL
fields, and automatically linking them.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679

Cargo
+ (T331065, CVE-2023-37254) - XSS in Special:CargoQuery using default
format.
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894666


ProofreadPage
+ (T326952, CVE-2023-37253) - ProofreadPage leaks suppressed user via the
API and config variables.
https://gerrit.wikimedia.org/r/q/Ibe5f8e25dea155bbd811a65833394c0d4b906a34

DoubleWiki
+ (T323651, CVE-2023-37304) - XSS in DoubleWiki extension (Wikisource).
https://gerrit.wikimedia.org/r/c/933666
https://gerrit.wikimedia.org/r/c/933667
https://gerrit.wikimedia.org/r/c/932825

CheckUser
+ (T338276, CVE-2023-37303) - Wikimedia\Rdbms\DBQueryDisconnectedError when
blocking user.
https://gerrit.wikimedia.org/r/c/932823

Wikibase
+ (T250720, CVE-2023-37301) - Wikidata edit filter does not fire when test
tool says it should.
https://gerrit.wikimedia.org/r/c/933663

Wikibase
+ (T339111, CVE-2023-37302) - Style injection into badges on Wikidata due
to unescaped quotes.
https://gerrit.wikimedia.org/r/c/933649
https://gerrit.wikimedia.org/r/c/933650

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T333626
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.11/1.38.7/1.39.4/1.40.0), Maryum Styles, 30.06.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang