websafe-kb/08-threat-intel/registry/advisories/mediawiki--eb8c65d48d.json

{
  "canonical_id": "mediawiki--eb8c65d48d",
  "system_id": "mediawiki",
  "display_name": "MediaWiki",
  "category": "cms",
  "advisory_mode": "core",
  "title": "[MediaWiki-announce] Maintenance release: MediaWiki 1.39.11, 1.41.5 and 1.42.4",
  "summary": "I would like to announce the release of MediaWiki 1.39.11, 1.41.5 and\n1.42.4!\n\nThese releases primarily serve as a maintenance release for these branches.\n\nIt does also contain a low risk, minor security fix for the ConfirmEdit\nextension, more information can be found at T379677.\n\nThe tarballs have already been uploaded as of this email, and the git tags\nhave been pushed.\n\nA \"MediaWiki Extensions Security Release Supplement\" e-mail will follow\nthis one, covering security updates for non-bundled extensions.\n\nReports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are\nparticularly welcome, and fixes will be back-ported when possible. Please\nsee https://phabricator.wikimedia.org/tag/php_8.0_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.1_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.2_support/,\nhttps://phabricator.wikimedia.org/tag/php_8.3_support/ and\nhttps://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant\nwork boards.\n\nAs a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,\nand MediaWiki 1.40 became EOL in June 2024.\n\nMediaWiki 1.41 is due to become EOL at the end of December 2024. A formal\nseparate announcement will follow for that purpose.\n\nIt is strongly recommended to upgrade to either 1.39 (the next LTS after\n1.35), which will be supported until November 2025, or 1.42, which will be\nsupported until June 2025.\n\nMediaWiki 1.43, the next LTS after MediaWiki 1.39 is due to be released in\nthe near future. It will be supported until at least December 2027.\n\n== Links to all mentioned tasks ==\n\n* https://phabricator.wikimedia.org/T379677\n\n== Release notes ==\n\nFull release notes for 1.39.11:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39\nhttps://www.mediawiki.org/wiki/Release_notes/1.39\n\nFull release notes for 1.41.5:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_41/RELEASE-NOTES-1.41\nhttps://www.mediawiki.org/wiki/Release_notes/1.41\n\nFull release notes for 1.42.4:\nhttps://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42\nhttps://www.mediawiki.org/wiki/Release_notes/1.42\n\nFor information about how to upgrade, see\n<https://www.mediawiki.org/wiki/Manual:Upgrading>\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.11.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.11.zip\n\nPatch to previous version (1.39.10):\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.11.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.11.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.11.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.5.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.5.zip\n\nPatch to previous version (1.41.4):\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.5.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.5.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.5.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html\n\n**********************************************************************\nDownload:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.zip\n\nDownload without bundled extensions:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.4.tar.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.4.zip\n\nPatch to previous version (1.42.3):\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.patch.gz\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.patch.zip\n\nGPG signatures:\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.4.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.4.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.tar.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.zip.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.patch.gz.sig\nhttps://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.4.patch.zip.sig\n\nPublic keys:\nhttps://www.mediawiki.org/keys/keys.html",
  "published_at": "Fri, 20 Dec 2024 17:57:58 +0000",
  "updated_at": "Fri, 20 Dec 2024 17:57:58 +0000",
  "severity": "unknown",
  "cvss_score": null,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/PFTE5RHUERS6KTUGGRZO7XXV5THNJ77E/",
  "secondary_source_urls": [],
  "aliases": [],
  "cve_ids": [],
  "ghsa_ids": [],
  "osv_ids": [],
  "affected_versions": [],
  "fixed_versions": [],
  "package_name": null,
  "render_markdown": false,
  "case_path": null,
  "secure_code_topics": [
    "xss-output-encoding",
    "authz-server-side-recheck",
    "file-upload-validation",
    "plugin-extension-trust-policy"
  ],
  "status": "triage",
  "triage_reasons": [
    "missing affected/fixed version details"
  ],
  "entity_refs": [
    {
      "entity_id": "mediawiki",
      "entity_type": "system",
      "relation": "root-system",
      "root_system_id": "mediawiki",
      "official": true
    }
  ],
  "affected_components": [
    {
      "name": "MediaWiki",
      "entity_id": "mediawiki",
      "scope": "core",
      "package_name": null,
      "official": true
    }
  ],
  "affected_version_ranges": [],
  "fixed_version_ranges": [],
  "introduced_version": null,
  "patched_version": null,
  "version_evidence_sources": [
    "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/PFTE5RHUERS6KTUGGRZO7XXV5THNJ77E/"
  ],
  "advisory_scope": "core",
  "version_confidence": "low",
  "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
  "version_resolution_needed": true,
  "workflow": {
    "workflow_id": "mediawiki--eb8c65d48d--workflow",
    "vuln_family": "xss",
    "entry_surface": "web-ui-render-path",
    "preconditions": [
      "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
      "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
      "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
    ],
    "required_role": "editor-or-admin",
    "affected_version_assertion": [
      "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
    ],
    "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
    "request_or_ui_path": [
      "/admin/editor",
      "/preview",
      "/rendered-content"
    ],
    "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
    "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
    "server_evidence_points": [
      "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
      "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
    ],
    "browser_evidence_points": [
      "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
      "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
    ],
    "db_or_fs_evidence_points": [
      "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
      "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
    ],
    "detection_signals": [
      "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
      "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
    ],
    "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
    "patch_validation_steps": [
      "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
      "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
      "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
      "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
    ],
    "lab_safety_notes": [
      "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
      "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
      "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
    ],
    "review_state": "needs-version-gap-review"
  },
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "MediaWiki Announce RSS"
    ],
    "source_kinds": [
      "rss-feed"
    ],
    "candidate_count": 1,
    "entity_ref_count": 1,
    "advisory_scope": "core",
    "version_confidence": "low",
    "workflow_id": "mediawiki--eb8c65d48d--workflow"
  }
}