it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)
Chronologisch Thread
- From: Maryum Styles <mstyles AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org
- Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1)
- Date: Mon, 6 May 2024 12:54:34 +0300
- Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/ISK76VXYSIOKYLLU2DTQUXIJV6MMWGOJ/>
- List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
Greetings-
There was a delay in CVE assignment due to a backlog with Mitre. With the
security/maintenance release of MediaWiki .39.7/1.40.3/1.41.1, we would
also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
CheckUser
+ (T355434, CVE-2024-34505) - Temporary account IP reveal does not check
the deleted status
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/992795/
CheckUser
+ (T356226, CVE-2024-34501) - CheckUser Client Hints REST API does not use
a CSRF token
https://gerrit.wikimedia.org/r/q/Idc776c7c7612c8b9e2c134706c9e2ebc2f5b655f
ReportIncident
+ (T356190, CVE-2024-34503) - ReportIncident REST API does not use a CSRF
token
https://gerrit.wikimedia.org/r/q/I27b5899cf69837c9ab8fee2b5bc9b2e788e69f9e
IPInfo
+ (T356183, CVE-2024-34504) - IPInfo REST APIs are not safe from CSRF
attacks
https://gerrit.wikimedia.org/r/q/I5974c1e71286f5f920ace51ba064e96c88296a4e
WikiDiscover
+ (GHSA-cfcf-94jv-455f, CVE-2024-25107) - Cross-Site Scripting on
Special:WikiDiscover
https://github.com/miraheze/WikiDiscover/security/advisories/GHSA-cfcf-94jv-455f
UnlinkedWikibase
+ (T357203, CVE-2024-34500) - XSS through interface message in
UnlinkedWikibase
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UnlinkedWikibase/+/1002175
WikibaseLexeme
+ (T357101, CVE-2024-34502) - Special:MergeLexemes makes edits on GET
requests without edit tokens
https://gerrit.wikimedia.org/r/q/Iae0c7c3b979118559c9ce2276618c6cdec11e63d
Cargo
+ (T331362, CVE-2023-29134) - SQL injection in Cargo handling of quotes
inside backticks
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1005478
ManageWiki
+ (GHSA-cfcf-94jv-455f, CVE-2024-25109) - Special:ManageWiki does not
escape escape interface messages
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84
CreateWiki
+ (GHSA-8wjf-mxjg-j8p9, CVE-2024-29883) - Special:ManageWiki does not
escape escape interface messages
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9
[1] https://phabricator.wikimedia.org/T353904
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org
- [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.7/1.40.3/1.41.1), Maryum Styles, 06.05.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.