Greetings- ...and hopefully one last round of apologies. It was pointed out that the _contents_ of the previous release emails were _also_ incorrect, as opposed to just the relevant versions of MediaWiki. The following is both the correct content (released security issues) and relevant MediaWiki versions.
With the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: SimpleCalendar + (T383472, CVE-2025-32077) - XSSes in Extension:SimpleCalendar https://gerrit.wikimedia.org/r/q/Ic5b5ce8f7791026eff1aafffb32a68f3aab119be VersionCompare + (T384269, CVE-2025-32078) - XSSes and potential RCE in Special:VersionCompare https://gerrit.wikimedia.org/r/q/If901b3b98e615e1a4f4034d932d2d592000b51d0 GrowthExperiments + (T384244, CVE-2025-32079) - Saving the right content to MediaWiki:GrowthMentors.json can take down the site https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1114020 MobileFrontend + (T366402, CVE-2025-32080) - Cross-origin data leak in mobilefrontend via lazy load images https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MobileFrontend/+/1123392 VisualData + (T385935, CVE-2025-32076) - Evil regex used to process user-provided data in VisualData https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualData/+/1121732 FeedUtils + (T386175, CVE-2025-32072) - HTML injection in feed output from i18n message https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1120134 HTMLTags + (T386337, CVE-2025-32073) - System message XSS in HTMLTags https://gerrit.wikimedia.org/r/c/mediawiki/extensions/HTMLTags/+/1121056 ConfirmAccount + (T386908, CVE-2025-32074) - XSSes in Extension:ConfirmAccount https://gerrit.wikimedia.org/r/q/I86f47103ffb78c671890b44ccd59fcff6613975f Tabs + (T386887, CVE-2025-32075) - IP and user agent leaks in Extension:Tabs https://gerrit.wikimedia.org/r/q/I03bec9528ee3ed05f35187458cde4e2fc4b51092 GrowthExperiments + (T386963, CVE-2025-32067) - i18n XSS vulnerability in message growthexperiments https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/1122163 OAuth + (T336113, CVE-2025-32068) - Revoking authorization of OAuth2 consumer does not invalidate refresh tokens https://gerrit.wikimedia.org/r/q/I27b61af2cdfb862a42432e7a87b863033d540cfc WikibaseMediaInfo + (T387691, CVE-2025-32069) - Wikitext stored XSS on filepages due to dangerous WBMI serialization https://gerrit.wikimedia.org/r/q/Ie969a8cfeab0d4457417773fa884e271968e5657 AJAXPoll + (T389590, CVE-2025-32070) - XSSes in AJAXPoll https://gerrit.wikimedia.org/r/q/Ib59c59b2cd36928ab200149c851e2bfcf5cf920c Wikibbase + (T389369, CVE-2025-32071) - Wikibase CommonsInlineImageFormatter: i18n XSS https://gerrit.wikimedia.org/r/q/Iac1f1c27054bfd1a4a4251281ab8c72f59204a90 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact secur...@wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T382326 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett sbass...@wikimedia.org
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
