Assigned To
Authored By
| Bawolff |
| Nov 29 2017, 6:58 PM |
Project Tags
Referenced Files
| F25627840: REL1_30.tar |
| Sep 3 2018, 8:35 AM |
| F25627841: REL1_29.tar |
| Sep 3 2018, 8:35 AM |
| F25627839: master.tar |
| Sep 3 2018, 8:35 AM |
| F25627843: REL1_27.tar |
| Sep 3 2018, 8:35 AM |
| F25627842: REL1_31.tar |
| Sep 3 2018, 8:35 AM |
| F23421797: 01-T169545-REL1_30.patch |
| Jul 7 2018, 5:56 PM |
| F23421770: 01-T169545-REL1_27.patch |
| Jul 7 2018, 5:56 PM |
| F23421769: 01-T169545-REL1_29.patch |
| Jul 7 2018, 5:56 PM |
Description
Description
Previous work T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
Tracking bug for next security release
This will be the final 1.29 release.
| Maniphest ID | CVE ID | REL1_27 | REL1_29 | REL1_30 | REL1_31 | master |
|---|---|---|---|---|---|---|
| T169545 | CVE-2018-0503 | 01-T169545-REL1_27.patch1 KBDownload | 01-T169545-REL1_29.patch1 KBDownload | 01-T169545-REL1_30.patch1 KBDownload | 01-T169545-REL1_31.patch1 KBDownload | 01-T169545-master.patch1 KBDownload |
| T187638 | CVE-2018-0504 | merged | merged | merged | merged | merged |
| T194605 | CVE-2018-0505 | |||||
| T194237 | n/a (hardening) | merged | merged | merged | merged | merged |
| T199029 | CVE-2018-13258 | n/a | n/a | n/a |
Related Objects
Related Objects
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T199021 Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1 | |||
| Resolved | Reedy | T181665 Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release | |||
| Resolved | matmarex | T169545 $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503) | |||
| Resolved | Samwilson | T187638 When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504) | |||
| Resolved | Bawolff | T194605 BotPassword can bypass CentralAuth's account lock (CVE-2018-0505) | |||
| Resolved | Anomie | T194237 bot passwords should call checkLoginSecurityLevel | |||
| Resolved | Legoktm | T199029 1.31.0 tarball is missing .htaccess files (CVE-2018-13258) |
- Mentioned In
- T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258) - Mentioned Here
- T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258)
T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)
T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)
T194237: bot passwords should call checkLoginSecurityLevel
T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505)
T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases
T197669: Formalise and Announce REL1_29 EOL
Event Timeline
Bawolff created this task.Nov 29 2017, 6:58 PM
Bawolff moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Nov 29 2017, 7:05 PM
Aklapper renamed this task from Tracking bug for 1.27.5/1.29.2/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1 security release.Mar 28 2018, 7:34 AM
greg subscribed.Mar 29 2018, 9:33 PM
Comment ActionsAs I said in email: Let's shoot for this to happen before REL1_31 is branched (April 17th) to make things clean for everyone.
Reedy renamed this task from Tracking bug for 1.27.5/1.29.3/1.30.1 security release to Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 10:41 AM
Reedy updated the task description. (Show Details)
Reedy added a parent task: T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Jul 7 2018, 4:49 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy closed subtask T194237: bot passwords should call checkLoginSecurityLevel as Resolved.Jul 7 2018, 5:26 PM
Reedy updated the task description. (Show Details)
Reedy closed subtask T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504) as Resolved.Jul 7 2018, 5:29 PM
Reedy updated the task description. (Show Details)
Reedy closed subtask T169545: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503) as Resolved.Jul 7 2018, 5:55 PM
Reedy updated the task description. (Show Details)
Jdforrester-WMF subscribed.Jul 11 2018, 11:34 PM
Legoktm updated the task description. (Show Details)
Legoktm added a subtask: T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Aug 29 2018, 1:23 AM
Legoktm updated the task description. (Show Details)
Legoktm closed subtask T194605: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505) as Resolved.Aug 29 2018, 7:20 AM
Legoktm subscribed.Sep 3 2018, 8:35 AM
Comment ActionsI didn't want to upload 20 individual files to Phabricator...here's tars of the 3 backported security patches for each branch, and then release branches have one more patch bumping $wgVersion and adding release notes.
master.tar10 KBDownload
REL1_30.tar20 KBDownload
REL1_29.tar20 KBDownload
REL1_31.tar20 KBDownload
REL1_27.tar20 KBDownload
Bawolff moved this task from Incoming to Epics in progress on the Security-Team board.Sep 4 2018, 4:19 PM
Reedy closed subtask T199029: 1.31.0 tarball is missing .htaccess files (CVE-2018-13258) as Resolved.Sep 20 2018, 8:20 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Epics in progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:10 PM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits
