Greetings-
With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]:
CheckUser + (T361293 https://phabricator.wikimedia.org/T361293, CVE-2024-40606) - Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2
CheckUser + (T361295 https://phabricator.wikimedia.org/T361295, CVE-2024-40610) - CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9
CheckUser + (T361296 https://phabricator.wikimedia.org/T361296, CVE-2024-40608) - Special:Investigate exposes suppressed usernames to those who do not have the rights to see them https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241
CheckUser + (T361479 https://phabricator.wikimedia.org/T361479, CVE-2024-40607) - Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232
CheckUser + (T326867 https://phabricator.wikimedia.org/T326867, CVE-2024-40598) - CheckUser API can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294
CheckUser + (T326865 https://phabricator.wikimedia.org/T326865, CVE-2024-40597) - Special:CheckUser can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782
CheckUser + (T338419 https://phabricator.wikimedia.org/T338419, CVE-2024-40609) - Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22
CheckUser + (T268147 https://phabricator.wikimedia.org/T268147, CVE-2024-40611) - Special:CheckUser shows deleted edits to non-admins
CheckUser + (T326866 https://phabricator.wikimedia.org/T326866, CVE-2024-40596) - Special:Investigate can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100
GuMaxDD + (T361448 https://phabricator.wikimedia.org/T361448, CVE-2024-40599) - GuMaxDD skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a
Nimbus + (T361450 https://phabricator.wikimedia.org/T361450, CVE-2024-40604) - Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad
Tempo + (T361451 https://phabricator.wikimedia.org/T361451, CVE-2024-40602) - Tempo skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a
Foreground + (T361452 https://phabricator.wikimedia.org/T361452, CVE-2024-40605) - Foreground skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344
BlueLL + (T361453 https://phabricator.wikimedia.org/T361453, CVE-2024-40612) - BlueLL skin: stored XSS via MediaWiki:Sidebar https://github.com/lingua-libre/BlueLL/pull/18
Metrolook + (T361449 https://phabricator.wikimedia.org/T361449, CVE-2024-40600) - Metrolook skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e
MediaWikiChat + (T362588 https://phabricator.wikimedia.org/T362588, CVE-2024-40601) - Classic CSRF in MediaWikiChat's API modules https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/102349...
ArticleRatings + (T363884 https://phabricator.wikimedia.org/T363884, CVE-2024-40603) - Special:ChangeRating is vulnerable to CSRF https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7
Gadgets + (T363773 https://phabricator.wikimedia.org/T363773, CVE-2024-40613) - Evil regex used to process gadget definitions https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9
The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T361321 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs
wikitech-l@lists.wikimedia.org