Maniphest ID	CVE ID	REL1_27	REL1_29	REL1_30	REL1_31	master
T169545	CVE-2018-0503	01-T169545-REL1_27.patch1 KBDownload	01-T169545-REL1_29.patch1 KBDownload	01-T169545-REL1_30.patch1 KBDownload	01-T169545-REL1_31.patch1 KBDownload	01-T169545-master.patch1 KBDownload
T187638	CVE-2018-0504	merged	merged	merged	merged	merged
T194605	CVE-2018-0505
T194237	n/a (hardening)	merged	merged	merged	merged	merged
T199029	CVE-2018-13258	n/a	n/a	n/a

Related Objects

		Status
Resolved	Reedy	T199021 Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1
Resolved	Reedy	T181665 Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release
Resolved	matmarex	T169545 $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)
Resolved	Samwilson	T187638 When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)
Resolved	Bawolff	T194605 BotPassword can bypass CentralAuth's account lock (CVE-2018-0505)
Resolved	Anomie	T194237 bot passwords should call checkLoginSecurityLevel
Resolved	Legoktm	T199029 1.31.0 tarball is missing .htaccess files (CVE-2018-13258)

Mentioned In: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258)
Mentioned Here: T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258)
T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)
T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)
T194237: bot passwords should call checkLoginSecurityLevel
T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505)
T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
T197669: Formalise and Announce REL1_29 EOL

Event Timeline

Bawolff created this task.Nov 29 2017, 6:58 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2017, 6:58 PM

Bawolff added a project: Security-Team.Nov 29 2017, 6:59 PM

Bawolff added a subtask: T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503).

Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Nov 29 2017, 7:05 PM

Bawolff added a subtask: Restricted Task.Jan 8 2018, 6:51 PM

Bawolff added a subtask: T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504).Mar 28 2018, 6:59 AM

Aklapper renamed this task from Tracking bug for 1.27.5/1.29.2/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1 security release.Mar 28 2018, 7:34 AM

greg subscribed.Mar 29 2018, 9:33 PM

Comment Actions

As I said in email: Let's shoot for this to happen before REL1_31 is branched (April 17th) to make things clean for everyone.

• demon added a subscriber: • CCicalese_WMF.Apr 13 2018, 4:20 PM

• demon added a project: MW-1.31-release.Apr 13 2018, 4:23 PM

Krinkle added a project: MW-1.30-release.Apr 18 2018, 5:57 PM

Krinkle added projects: MW-1.27-release, MW-1.29-release.

Reedy added a subtask: T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505).Jun 4 2018, 4:20 PM

Bawolff added a subtask: T194237: bot passwords should call checkLoginSecurityLevel.Jun 10 2018, 6:15 PM

greg added a subscriber: Reedy.Jun 12 2018, 4:18 AM

Comment Actions

@Bawolff @Reedy is this going to happen soon? 1.31 is really close to being ready.

Reedy renamed this task from Tracking bug for 1.27.5/1.29.3/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 10:41 AM

Reedy updated the task description. (Show Details)

Reedy added a parent task: T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Jul 7 2018, 4:49 PM

Reedy updated the task description. (Show Details)Jul 7 2018, 5:22 PM

Reedy updated the task description. (Show Details)

Reedy closed subtask T194237: bot passwords should call checkLoginSecurityLevel as Resolved.Jul 7 2018, 5:26 PM

Reedy updated the task description. (Show Details)

Reedy closed subtask T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504) as Resolved.Jul 7 2018, 5:29 PM

Reedy updated the task description. (Show Details)

Reedy closed subtask T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503) as Resolved.Jul 7 2018, 5:55 PM

Reedy updated the task description. (Show Details)

Bawolff added a subtask: T196386: MediaWiki should prevent username registration if the username previously existed.Jul 9 2018, 11:07 PM

Jdforrester-WMF subscribed.Jul 11 2018, 11:34 PM

Legoktm removed a subtask: T196386: MediaWiki should prevent username registration if the username previously existed.Aug 29 2018, 12:57 AM

Legoktm removed a subtask: Restricted Task.Aug 29 2018, 1:14 AM

Legoktm updated the task description. (Show Details)

Legoktm added a subtask: T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Aug 29 2018, 1:23 AM

Legoktm updated the task description. (Show Details)

Legoktm updated the task description. (Show Details)Aug 29 2018, 1:49 AM

Legoktm closed subtask T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505) as Resolved.Aug 29 2018, 7:20 AM

Legoktm updated the task description. (Show Details)Aug 29 2018, 6:12 PM

Legoktm subscribed.Sep 3 2018, 8:35 AM

Comment Actions

I didn't want to upload 20 individual files to Phabricator...here's tars of the 3 backported security patches for each branch, and then release branches have one more patch bumping $wgVersion and adding release notes.

master.tar10 KBDownload

REL1_30.tar20 KBDownload

REL1_29.tar20 KBDownload

REL1_31.tar20 KBDownload

REL1_27.tar20 KBDownload

Bawolff moved this task from Incoming to Epics in progress on the Security-Team board.Sep 4 2018, 4:19 PM

Reedy mentioned this in T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Sep 15 2018, 2:44 AM

Reedy closed subtask T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258) as Resolved.Sep 20 2018, 8:20 PM

Reedy closed this task as Resolved.Sep 20 2018, 9:32 PM

Reedy claimed this task.

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".

Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Sep 20 2018, 9:55 PM

sbassett moved this task from Epics in progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:10 PM

sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM

• chasemp added a project: Security.Feb 10 2020, 10:52 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits

URL: https://phabricator.wikimedia.org/T181665

⇱ ⚓ T181665 Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release

Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release
Closed, ResolvedPublic
Actions

Description

Related Objects

Event Timeline

URL: https://phabricator.wikimedia.org/T181665

⇱ ⚓ T181665 Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release

Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security releaseClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release
Closed, ResolvedPublic
Actions