[MediaWiki-announce] MediaWiki Extensions and Skins Security Release Supplement (1.31.13/1.35.2)

Greetings-

With the security/maintenance release of MediaWiki 1.31.13/1.35.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:

== CommentBox == + (T270767, CVE-2021-31550) - Wg variables aren't validated by CommentBox - possible raw html insertion risk https://gerrit.wikimedia.org/r/651934

== AbuseFilter == + (T272333, CVE-2021-31548) - Disallow the edit if blocking the user didn't succeed https://gerrit.wikimedia.org/r/657092

== WikiLove == + (T270142, CVE-2021-31557) - mw.config.get( 'wikilove-anon' ) leaks the existence of hidden users https://gerrit.wikimedia.org/r/q/Ibcd87abe01719222beadcfc0de13038c3021adef

== PageForms == + (T259433, CVE-2021-31551) - XSS issue in Extension:PageForms https://gerrit.wikimedia.org/r/q/I5e0abbc2f80e6bda255b3b32a4df39a7fe7d3793 https://gerrit.wikimedia.org/r/q/Ibe68b070ee791cd0c8e7f50eb04ac4e066b1512c https://gerrit.wikimedia.org/r/q/I20b63bd38779d2ccbe2d86f9879df85ca3b685f6

== AbuseFilter == + (T71617, CVE-2021-31546) - AbuseFilter logs suppression deletions https://gerrit.wikimedia.org/r/q/I38a0a24fa32ca7a052b6940864a32b3856e84553

== AbuseFilter == + (T223654, CVE-2021-31547) - AbuseFilterCheckMatch API reveals suppressed edits and usernames https://gerrit.wikimedia.org/r/q/I4900b1be73323599d74e3164447f81eded094d75 https://gerrit.wikimedia.org/r/q/I3f7dbd8b873d411e37c8c3aac2339bf5ec36907d

== AbuseFilter == + (T71367, CVE-2021-31545) - page_recent_contributors leaks revdeleted user names https://gerrit.wikimedia.org/r/q/I8d5ed9ca84282ee50832035af86123633fc88293

== AbuseFilter == + (T274152, CVE-2021-31549) - Special:AbuseFilter/examine reveals suppressed usernames https://gerrit.wikimedia.org/r/q/I6063c02fa261c4cc0e6dbbb2db4e111eb85912c2 https://gerrit.wikimedia.org/r/q/I71a6d521bd12931ce60eec4d2dc35af19146000f

== CheckUser == + (T275669, CVE-2021-31553) - Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will https://gerrit.wikimedia.org/r/666963 https://gerrit.wikimedia.org/r/666964

== AbuseFilter == + (T152394, CVE-2021-31552) - AbuseFilter privacy concerns on action == 'createaccount' and 'accountname' https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1

== AbuseFilter == + (T272244, CVE-2021-31554) - AbuseFilter blocks not working for account autocreations https://gerrit.wikimedia.org/r/q/Ie1f4333d5b1c9d17fb2236fe38a31de427a4cc48

== OAuth == + (T277380, CVE-2021-31556) - OAuth doesn't validate length of oarc_rsa_key https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9

== OAuth == + (T277388, CVE-2021-31555) - OAuth doesn't validate length of oarc_version https://gerrit.wikimedia.org/r/q/I222c053b4b14ac1ad0f5b3a51565b1b9cd4c139d

The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].

[0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.h... [1] https://phabricator.wikimedia.org/T270466 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs