VOOZH about

URL: https://phabricator.wikimedia.org/T240393

⇱ ⚓ T240393 Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1


Maniphest T240393

Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1
Closed, ResolvedPublic

Description

Previous work T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release

Tracking bug for next security release

Maniphest IDCVE IDREL1_31REL1_33REL1_34master
T232932CVE-2020-10959n/an/a
0002-T232932-master.patch2 KBDownload
T246602CVE-2020-10960
0001-T246602-master.patch1 KBDownload

n.b. T246602 is a pretty minor issue, but should probably be included here anyways.

Related Objects

Event Timeline

Reedy triaged this task as Medium priority.Dec 10 2019, 11:02 PM
Reedy renamed this task from Tracking bug for Release MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1.Dec 10 2019, 11:03 PM
Reedy renamed this task from Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.Jan 23 2020, 1:11 PM
Reedy updated the task description. (Show Details)
Comment Actions

CVEs requested. Will update table in task description and task titles when I have the IDs.

Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
DannyS712 changed the visibility from "Public (No Login Required)" to "Custom Policy".Mar 26 2020, 5:48 PM
Comment Actions

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Comment Actions

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Considering the patch is already listed on https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html...

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 6:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits