hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
c2d0aa12e83ac9efc0626257ea84a57dc36d0b82
websafe-kb/08-threat-intel/registry/advisories/mediawiki--05670a18f6.json

149 行
12 KiB
JSON
原始文件 Blame 文件历史

{
"canonical_id": "mediawiki--05670a18f6",
"system_id": "mediawiki",
"display_name": "MediaWiki",
"category": "cms",
"advisory_mode": "core",
"title": "[MediaWiki-announce] Maintenance release: MediaWiki 1.43.8 / 1.44.5 / 1.45.3",
"summary": "I would like to announce the release of MediaWiki 1.43.8, 1.44.5 and 1.45.3!\n\nThis release primarily serves as a security and maintenance release for\nthes branches.\n\nIt fixes a mixture of backport issues, and drops some tests in AbuseFilter\non REL1_43 and REL1_44 that wouldn't pass CI on PHP 8.1. Localisation\nupdates for REL1_44 have been included as per the daily process that runs.\n\nThe tarballs have already been uploaded as of this email, and the git tag\nhas been pushed.\n\nReports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and\nfixes will be backported when possible. If you find issues that haven't\nbeen backported, please report these too, referring to the relevant\nsupported release.\n\nPHP 8.x workboards:\n* https://phabricator.wikimedia.org/tag/php_8.0_support/\n* https://phabricator.wikimedia.org/tag/php_8.1_support/\n* https://phabricator.wikimedia.org/tag/php_8.2_support/\n* https://phabricator.wikimedia.org/tag/php_8.3_support/\n* https://phabricator.wikimedia.org/tag/php_8.4_support/\n* https://phabricator.wikimedia.org/tag/php_8.5_support/\n\nAs a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki\n1.42 became EOL in June 2025.\n\n== Release notes ==\n\nFull release notes for 1.43.7:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43\nhttps://www.mediawiki.org/wiki/Release_notes/1.43\n\nFull release notes for 1.44.4:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44\nhttps://www.mediawiki.org/wiki/Release_notes/1.44\n\nFull release notes for 1.45.2:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45\nhttps://www.mediawiki.org/wiki/Release_notes/1.45\n\nFor information about how to upgrade, see <\nhttps://www.mediawiki.org/wiki/Manual:Upgrading>\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.8.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.8.zip\n\nPatch to previous version (1.43.7):\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.8.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.8.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.5.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.5.zip\n\nPatch to previous version (1.44.4):\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.5.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.5.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.5.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.3.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.3.zip\n\nPatch to previous version (1.45.2):\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.3.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.3.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.3.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html",
"published_at": "Wed, 01 Apr 2026 13:09:42 +0000",
"updated_at": "Wed, 01 Apr 2026 13:09:42 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6VW6OGVSC7LO3QUMBEZOPQFYYOFDJ452/",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"xss-output-encoding",
"authz-server-side-recheck",
"file-upload-validation",
"plugin-extension-trust-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"entity_refs": [
{
"entity_id": "mediawiki",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "mediawiki",
"official": true
}
],
"affected_components": [
{
"name": "MediaWiki",
"entity_id": "mediawiki",
"scope": "core",
"package_name": null,
"official": true
}
],
"affected_version_ranges": [],
"fixed_version_ranges": [],
"introduced_version": null,
"patched_version": null,
"version_evidence_sources": [
"https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6VW6OGVSC7LO3QUMBEZOPQFYYOFDJ452/"
],
"affected_version_refs": [],
"fixed_version_refs": [],
"patched_version_refs": [],
"version_sync_confidence": "low",
"advisory_scope": "core",
"version_confidence": "low",
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
"version_resolution_needed": true,
"workflow": {
"workflow_id": "mediawiki--05670a18f6--workflow",
"vuln_family": "plugin-extension",
"entry_surface": "extension-management-surface",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "plugin-manager-or-admin",
"affected_version_assertion": [
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
],
"trigger_vector": "\u5bf9 `plugin-extension` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/plugins",
"/extensions",
"/themes"
],
"input_shape": "\u5728\u6269\u5c55\u7ba1\u7406\u6216\u6269\u5c55\u529f\u80fd\u5165\u53e3\u4e2d\u63d0\u4ea4\u53d7\u63a7\u914d\u7f6e/\u5185\u5bb9\u3002",
"expected_unsafe_behavior": "\u6269\u5c55\u5b89\u88c5\u3001\u914d\u7f6e\u6216\u8fd0\u884c\u7a81\u7834\u4e86\u4fe1\u4efb\u8fb9\u754c\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `plugin-extension` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "needs-version-gap-review"
},
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"MediaWiki Announce RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1,
"entity_ref_count": 1,
"advisory_scope": "core",
"version_confidence": "low",
"workflow_id": "mediawiki--05670a18f6--workflow"
}
}
在新工单中引用 查看 Git Blame 复制永久链接