Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0)

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0)


Chronologisch Thread  
  • From: Manfredi Martorana <mmartorana AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
  • Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0)
  • Date: Wed, 17 Jan 2024 18:29:53 +0100
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/ZHJ2P6MGGOB2GAHAVJEU4NRZDL5QPKGT/>
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

Greetings-

With the security/maintenance release of MediaWiki
1.35.14/1.39.6/1.40.2/1.41.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:

PageTriage
+ (T347704, CVE-2024-23174) - XSS in pagetriage-tags-quickfilter-label
PageTriage
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageTriage/+/989177

Cargo
+ (T348687, CVE-2024-23173) - Reflected XSS Could Lead to Steal User Cookie
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/965214/

CampaignTools
+ (T348343, CVE-2024-23171) - Various i18n-based XSSs in
Special:EventDetails
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/971248/

CheckUser
+ (T347708, CVE-2024-23172) - Several not properly escaped messages in the
CheckUser extension
https://gerrit.wikimedia.org/r/q/If3ce02cac9c5f2a6f84c42d902b8290eb1fa7250

MassMessage
+ (T347742, CVE-2024-23176) - MassMessage i18n key
massmessage-form-page-help allows i18n-xss
https://gerrit.wikimedia.org/r/q/Ife6fb590af53fa0d8eb59201ce88a3c47ddde45c

GlobalBlocking
+ (T347746, CVE-2024-23179) - GlobalBlocking subtitle links have i18n-xss
via the parentheses message
https://gerrit.wikimedia.org/r/q/Ide490ca62bdb79b80be5e016986c6c96bfa3b4cf
https://gerrit.wikimedia.org/r/q/I1cad283235ea974c7d4ffabc49e1ff801dd4d276

WatchAnalytics
+ (T348979, CVE-2024-23177) - WatchAnalytics: classic XSS on
Special:PageStatistics with the 'page' URL parameter
https://gerrit.wikimedia.org/r/q/I09f4663c1c619796624b7d296c1351e0245cdaf1

Phonos
+ (T349312, CVE-2024-23178) - XSS in Phonos via the
phonos-purge-needed-error message
https://gerrit.wikimedia.org/r/q/I4cbdd3a35ded2385c29983c77f98835fa2ca307c

FlexDiagrams
+ (T353138, CVE-2024-23178) - FlexDiagrams XSS bug
https://gerrit.wikimedia.org/r/q/I139e88d8669b14469e359d1d124b2647dde2a7ca

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T347659
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.35.14/1.39.6/1.40.2/1.41.0), Manfredi Martorana, 17.01.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang