		Status	Subtype
Resolved	Reedy	T240392 Release MediaWiki 1.31.7/1.33.3/1.34.1
Resolved	Reedy	T240393 Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1
Resolved	sbassett	T232932 User content can redirect the logout button to different URL (CVE-2020-10959)
Resolved	Security	sbassett	T246602 makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960)

Mentioned In: T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2
T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases
T234104: PageTriage: Api allows spamming users with notifications
T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534)
T239466: Possible to circumvent title-blacklist (CVE-2019-19709)
Mentioned Here: T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960)
T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534)
T232932: User content can redirect the logout button to different URL (CVE-2020-10959)
T239466: Possible to circumvent title-blacklist (CVE-2019-19709)
T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release

Event Timeline

Reedy created this task.Dec 10 2019, 10:53 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2019, 10:53 PM

Reedy added a project: MediaWiki-Releasing.Dec 10 2019, 10:57 PM

Reedy triaged this task as Medium priority.Dec 10 2019, 11:02 PM

Reedy renamed this task from Tracking bug for Release MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1.Dec 10 2019, 11:03 PM

Reedy added a subtask: T232932: User content can redirect the logout button to different URL (CVE-2020-10959).

Reedy added a subtask: T239466: Possible to circumvent title-blacklist (CVE-2019-19709).

sbassett mentioned this in T239466: Possible to circumvent title-blacklist (CVE-2019-19709).Dec 10 2019, 11:20 PM

Legoktm updated the task description. (Show Details)Dec 12 2019, 9:14 AM

Reedy removed a subtask: T239466: Possible to circumvent title-blacklist (CVE-2019-19709).Dec 12 2019, 12:07 PM

Reedy updated the task description. (Show Details)

Reedy renamed this task from Tracking bug for MediaWiki 1.31.7/1.32.7/1.33.3/1.34.1 to Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.Jan 23 2020, 1:11 PM

Reedy updated the task description. (Show Details)

• chasemp added a project: Security.Feb 10 2020, 10:56 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM

sbassett updated the task description. (Show Details)Feb 21 2020, 10:13 PM

sbassett added a subtask: T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 2 2020, 6:07 PM

sbassett updated the task description. (Show Details)

sbassett mentioned this in T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 2 2020, 6:10 PM

sbassett added a subtask: T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960).Mar 2 2020, 11:25 PM

sbassett updated the task description. (Show Details)

Jdforrester-WMF subscribed.Mar 3 2020, 5:23 PM

sbassett mentioned this in T234104: PageTriage: Api allows spamming users with notifications.Mar 6 2020, 7:14 PM

sbassett added a subscriber: DannyS712.Mar 6 2020, 7:42 PM

Reedy removed a subtask: T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).Mar 10 2020, 2:13 PM

Reedy updated the task description. (Show Details)

Reedy updated the task description. (Show Details)Mar 24 2020, 5:03 PM

Reedy closed subtask T246602: makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960) as Resolved.Mar 24 2020, 5:13 PM

Reedy closed subtask T232932: User content can redirect the logout button to different URL (CVE-2020-10959) as Resolved.Mar 24 2020, 5:32 PM

sbassett subscribed.EditedMar 25 2020, 2:55 AM

Comment Actions

CVEs requested. Will update table in task description and task titles when I have the IDs.

Legoktm mentioned this in T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases.Mar 25 2020, 11:15 PM

Legoktm updated the task description. (Show Details)Mar 25 2020, 11:18 PM

Reedy mentioned this in T248535: Tracking bug for MediaWiki 1.31.8/1.33.4/1.34.2.Mar 26 2020, 12:34 AM

sbassett updated the task description. (Show Details)Mar 26 2020, 3:39 AM

Reedy closed this task as Resolved.Mar 26 2020, 5:41 PM

Reedy claimed this task.

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".

DannyS712 changed the visibility from "Public (No Login Required)" to "Custom Policy".Mar 26 2020, 5:48 PM

Comment Actions

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Reedy added a comment.Mar 26 2020, 6:34 PM

Comment Actions

In T240393#6002789, @DannyS712 wrote:

@Reedy I've hidden this again - T232932: User content can redirect the logout button to different URL (CVE-2020-10959) still isn't public (I can't see it) but the fact that the patch file is included here means that the patch can be viewed by anyone who can see this task, which probably wasn't supposed to be public. If it was, apologies for overreacting

Considering the patch is already listed on https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-March/000247.html...

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 6:34 PM

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits

URL: https://phabricator.wikimedia.org/T240393

⇱ ⚓ T240393 Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1

Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1
Closed, ResolvedPublic
Actions

Description

Related Objects

Event Timeline

URL: https://phabricator.wikimedia.org/T240393

⇱ ⚓ T240393 Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1

Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1Closed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1
Closed, ResolvedPublic
Actions