Hi all,
In addition to the security release for MediaWiki core earlier today, I'd like to announce security fixes available for the following 3 extensions:
* Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in the way the extension handled page titles. https://phabricator.wikimedia.org/T111029
* Extension:Echo - Internal review discovered that Echo could display deleted or suppressed usernames when the username was previously used to Thank users. https://phabricator.wikimedia.org/T110553
* Extension:OAuth - Wikipedia user Sitic discovered that the OAuth extension did not correctly enforce the IP restrictions of a Consumer when using previously negotiated credentials. https://phabricator.wikimedia.org/T103022
* Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept a valid signature from any Consumer when checking the authorization signature. This allowed a registered Consumer who gained access to another Consumer's users access tokens and secrets to use those credentials. https://phabricator.wikimedia.org/T103023
********************************************************************** Extension:PageTriage ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:PageTriage
********************************************************************** Extension:Echo ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:Echo
********************************************************************** Extension:OAuth ********************************************************************** Information and Download: https://www.mediawiki.org/wiki/Extension:OAuth
None of these extensions are bundled but they are in use on Wikimedia sites hence the announcement. Fixes are in all supported branches in Git and are thus available from ExtensionDistributor.
-Chad
mediawiki-announce@lists.wikimedia.org