Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)


Chronologisch Thread  
  • From: Manfredi Martorana <mmartorana AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
  • Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)
  • Date: Wed, 10 Jul 2024 11:15:56 +0200
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/3NE3HUY4H6PCEG334MW2STD42K6IORFX/>
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

Greetings-

With the security/maintenance release of MediaWiki
1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this
supplementary announcement of MediaWiki extensions and skins with
now-public Phabricator tasks, security patches and backports [1]:

CheckUser
+ (T361293 <https://phabricator.wikimedia.org/T361293>, CVE-2024-40606) -
Special:CheckUser 'Get users' shows hidden usernames to those who do not
have the rights to see it
https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2

CheckUser
+ (T361295 <https://phabricator.wikimedia.org/T361295>, CVE-2024-40610) -
CheckUser API for the 'ipusers' and 'actions' request type shows hidden
usernames to those who cannot see them
https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9

CheckUser
+ (T361296 <https://phabricator.wikimedia.org/T361296>, CVE-2024-40608) -
Special:Investigate exposes suppressed usernames to those who do not have
the rights to see them
https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241

CheckUser
+ (T361479 <https://phabricator.wikimedia.org/T361479>, CVE-2024-40607) -
Special:CheckUser 'Get actions' page link can expose the username of a
suppressed user via the 'logs' URL
https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232

CheckUser
+ (T326867 <https://phabricator.wikimedia.org/T326867>, CVE-2024-40598) -
CheckUser API can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294

CheckUser
+ (T326865 <https://phabricator.wikimedia.org/T326865>, CVE-2024-40597) -
Special:CheckUser can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782

CheckUser
+ (T338419 <https://phabricator.wikimedia.org/T338419>, CVE-2024-40609) -
Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate
timeline mode
https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22

CheckUser
+ (T268147 <https://phabricator.wikimedia.org/T268147>, CVE-2024-40611) -
Special:CheckUser shows deleted edits to non-admins

CheckUser
+ (T326866 <https://phabricator.wikimedia.org/T326866>, CVE-2024-40596) -
Special:Investigate can expose suppressed information for log events
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100

GuMaxDD
+ (T361448 <https://phabricator.wikimedia.org/T361448>, CVE-2024-40599) -
GuMaxDD skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a

Nimbus
+ (T361450 <https://phabricator.wikimedia.org/T361450>, CVE-2024-40604) -
Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar
https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad

Tempo
+ (T361451 <https://phabricator.wikimedia.org/T361451>, CVE-2024-40602) -
Tempo skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a

Foreground
+ (T361452 <https://phabricator.wikimedia.org/T361452>, CVE-2024-40605) -
Foreground skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344

BlueLL
+ (T361453 <https://phabricator.wikimedia.org/T361453>, CVE-2024-40612) -
BlueLL skin: stored XSS via MediaWiki:Sidebar
https://github.com/lingua-libre/BlueLL/pull/18

Metrolook
+ (T361449 <https://phabricator.wikimedia.org/T361449>, CVE-2024-40600) -
Metrolook skin: stored XSS via MediaWiki:Sidebar
https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e

MediaWikiChat
+ (T362588 <https://phabricator.wikimedia.org/T362588>, CVE-2024-40601) -
Classic CSRF in MediaWikiChat's API modules
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/1023496

ArticleRatings
+ (T363884 <https://phabricator.wikimedia.org/T363884>, CVE-2024-40603) -
Special:ChangeRating is vulnerable to CSRF
https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7

Gadgets
+ (T363773 <https://phabricator.wikimedia.org/T363773>, CVE-2024-40613) -
Evil regex used to process gadget definitions
https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T361321
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0), Manfredi Martorana, 10.07.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang