Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: Scott Bassett <sbassett AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org
  • Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1)
  • Date: Fri, 11 Apr 2025 15:47:11 -0500
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=WG3EHaNF; spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org; dmarc=pass (policy=none) header.from=wikimedia.org
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
Greetings-

...and hopefully one last round of apologies. It was pointed out that the
_contents_ of the previous release emails were _also_ incorrect, as opposed
to just the relevant versions of MediaWiki. The following is both the
correct content (released security issues) and relevant MediaWiki versions.

With the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

SimpleCalendar
+ (T383472, CVE-2025-32077) - XSSes in Extension:SimpleCalendar
https://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be

VersionCompare
+ (T384269, CVE-2025-32078) - XSSes and potential RCE in
Special:VersionCompare
https://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0

GrowthExperiments
+ (T384244, CVE-2025-32079) - Saving the right content to
MediaWiki:GrowthMentors.json can take down the site
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1114020

MobileFrontend
+ (T366402, CVE-2025-32080) - Cross-origin data leak in mobilefrontend via
lazy load images
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/1123392

VisualData
+ (T385935, CVE-2025-32076) - Evil regex used to process user-provided data
in VisualData
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732

FeedUtils
+ (T386175, CVE-2025-32072) - HTML injection in feed output from i18n
message
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134

HTMLTags
+ (T386337, CVE-2025-32073) - System message XSS in HTMLTags
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056

ConfirmAccount
+ (T386908, CVE-2025-32074) - XSSes in Extension:ConfirmAccount
https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f

Tabs
+ (T386887, CVE-2025-32075) - IP and user agent leaks in Extension:Tabs
https://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092

GrowthExperiments
+ (T386963, CVE-2025-32067) - i18n XSS vulnerability in message
growthexperiments
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163

OAuth
+ (T336113, CVE-2025-32068) - Revoking authorization of OAuth2 consumer
does not invalidate refresh tokens
https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc

WikibaseMediaInfo
+ (T387691, CVE-2025-32069) - Wikitext stored XSS on filepages due to
dangerous WBMI serialization
https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657

AJAXPoll
+ (T389590, CVE-2025-32070) - XSSes in AJAXPoll
https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c

Wikibbase
+ (T389369, CVE-2025-32071) - Wikibase CommonsInlineImageFormatter: i18n XSS
https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security AT wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T382326
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

--
Scott Bassett
sbassett AT wikimedia.org
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org

  • [IT-SecNots] [MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1), Scott Bassett, 11.04.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang