hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
df455d7fb554c693cc4ff853ff46b7b8a75fd748
websafe-kb/08-threat-intel/registry/advisories/mediawiki--aca545ecfd.json

61 行
9.0 KiB
JSON
原始文件 Blame 文件历史

{
"canonical_id": "mediawiki--aca545ecfd",
"system_id": "mediawiki",
"display_name": "MediaWiki",
"category": "cms",
"advisory_mode": "core",
"title": "[MediaWiki-announce] Security and maintenance release: 1.39.13 / 1.42.7 / 1.43.2",
"summary": "I would like to announce the release of MediaWiki 1.39.13, 1.42.7 and 1.43.2!\n\nThese releases serve as security and maintenance releases for these branches.\n\nThe tarballs have already been uploaded as of this email, and the git\ntags will be pushed shortly.\n\nA \"MediaWiki Extensions Security Release Supplement\" e-mail will\nfollow this one, covering security updates for non-bundled extensions.\n\nReports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are\nparticularly welcome, and fixes will be back-ported when possible.\n\nAs part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP\n8.0 and 8.1 may have been backported to applicable releases. If you\nfind issues that haven't been backported, please report these too,\nreferring to the relevant supported release.\n\nPlease see https://phabricator.wikimedia.org/tag/php_8.0_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.1_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.2_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.3_support/ and\nhttps://phabricator.wikimedia.org/tag/php_8.4_support/ for the\nrelevant work boards.\n\nAs a reminder, MediaWiki 1.35 became end of life (EOL) in December\n2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became\nEOL in December 2024.\n\nMediaWiki 1.39 (old LTS) becomes EOL in November 2025.\n\nMediaWiki 1.42 becomes EOL, today, June 30, 2025. A separate email will follow.\n\nIt is strongly recommended to upgrade to 1.43 (the next LTS after\n1.39), which will be supported until December 2027.\n\n== Security fixes ==\n\n* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.\n* (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing\nsuppressed users.\n* (T392746, CVE-2025-6590) SECURITY: Escape usernames in\nHTMLUserTextField validation errors.\n* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in\naction=feedcontributions.\n* (T391218, CVE-2025-6592) SECURITY: Creating a permanent account from\na temporary account associates temp username and IP address with real\nusername in AbuseLog.\n* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.\n* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS\nwhen invalid 'format' is provided.\n* (T394863, CVE-2025-6595) SECURITY: Stored XSS through system\nmessages in MultimediaViewer.\n* (T396685, CVE-2025-6596) Vector inserts portlet labels as HTML,\nallowing for stored XSS through system messages.\n* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as\nlogin for reauthentication.\n* (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the\nreauth flag on login.\n* (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when\nbl_deleted=1.\n* (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via\nautoblocks of those users.\n\n== Links to all mentioned tasks ==\n\n* https://phabricator.wikimedia.org/T31856\n* https://phabricator.wikimedia.org/T386175\n* https://phabricator.wikimedia.org/T389009\n* https://phabricator.wikimedia.org/T389010\n* https://phabricator.wikimedia.org/T391218\n* https://phabricator.wikimedia.org/T391343\n* https://phabricator.wikimedia.org/T392276\n* https://phabricator.wikimedia.org/T392746\n* https://phabricator.wikimedia.org/T394863\n* https://phabricator.wikimedia.org/T395063\n* https://phabricator.wikimedia.org/T396230\n* https://phabricator.wikimedia.org/T396685\n* https://phabricator.wikimedia.org/T397595\n\n== Release notes ==\n\nFull release notes for 1.39.13:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39\nhttps://www.mediawiki.org/wiki/Release_notes/1.39\n\nFull release notes for 1.42.7:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42\nhttps://www.mediawiki.org/wiki/Release_notes/1.42\n\nFull release notes for 1.43.2:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43\nhttps://www.mediawiki.org/wiki/Release_notes/1.43\n\nFor information about how to upgrade, see\n<https://www.mediawiki.org/wiki/Manual:Upgrading>\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip\n\nPatch to previous version (1.39.12):\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip\n\nPatch to previous version (1.42.6):\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip\n\nPatch to previous version (1.43.1):\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html",
"published_at": "Mon, 30 Jun 2025 18:02:30 +0000",
"updated_at": "Mon, 30 Jun 2025 18:02:30 +0000",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/TT45WDZ7MDTXXBEFLBMLAJI532O2PN2U/",
"secondary_source_urls": [],
"aliases": [],
"cve_ids": [],
"ghsa_ids": [],
"osv_ids": [],
"affected_versions": [],
"fixed_versions": [],
"package_name": null,
"render_markdown": false,
"case_path": null,
"secure_code_topics": [
"xss-output-encoding",
"authz-server-side-recheck",
"file-upload-validation",
"plugin-extension-trust-policy"
],
"status": "triage",
"triage_reasons": [
"missing affected/fixed version details"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"historical_status": null,
"latest_status": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "xss-generic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [
"MediaWiki Announce RSS"
],
"source_kinds": [
"rss-feed"
],
"candidate_count": 1
}
}
在新工单中引用 查看 Git Blame 复制永久链接