Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN230

_____________________________________________________________________

DATE                : 16/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MediaWiki versions prior to
                                 1.39.12, 1.42.6, 1.43.1
                     MediaWiki extensions and skins : PageTriage,
                       CSS, Widgets, Cargo, Apex, DataTransfer.

=====================================================================
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/B47RQYDJLE5YCSTLOT53GROWGF6TJ75L/
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/JURTP3O5CLKAIWGVGELFKP7VCDWVQBBJ/
_____________________________________________________________________
    

I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and
1.43.1!

These releases serve as security and maintenance releases for these
branches.

Apologies for this release being late, it was due in the last week of
March. Unfortunately, due to the onongoing events of
https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of...,
that took priority in terms of resources.

The tarballs have already been uploaded as of this email, and the git tags
will be pushed shortly.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.

Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are
particularly welcome, and fixes will be back-ported when possible.

As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0
and 8.1 may have been backported to applicable releases. If you find issues
that haven't been backported, please report these too, referring to the
relevant supported release.

Please see https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/,
https://phabricator.wikimedia.org/tag/php_8.3_support/ and
https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant
work boards.

As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,
MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in
December 2024.

MediaWiki 1.39 (old LTS) becomes EOL in November 2025.

MediaWiki 1.43 becomes EOL in June 2025.

It is strongly recommended to upgrade as appropriate to either 1.42, which
will be supported until June 2025, or ideally to 1.43 (the next LTS after
1.39), which will be supported until December 2027.

== Security fixes ==

* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file
revert action.
* (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
Differentiate between cascading protection of file content and file pages.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
functions do not correctly enforce suppression restrictions.
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
* (T389235 CVE-2025-32700) SECURITY: AbuseFilter log interfaces expose
global private and hidden filters when central DB is not available.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T24521
* https://phabricator.wikimedia.org/T62109
* https://phabricator.wikimedia.org/T140010
* https://phabricator.wikimedia.org/T304474
* https://phabricator.wikimedia.org/T358689
* https://phabricator.wikimedia.org/T385958
* https://phabricator.wikimedia.org/T387130
* https://phabricator.wikimedia.org/T389235

== Release notes ==

Full release notes for 1.39.12:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-...
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.42.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-...
https://www.mediawiki.org/wiki/Release_notes/1.42

Full release notes for 1.43.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-...
https://www.mediawiki.org/wiki/Release_notes/1.43

For information about how to upgrade, see
https://www.mediawiki.org/wiki/Manual:Upgrading

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip

Patch to previous version (1.39.11):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz....
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip.si...

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip

Patch to previous version (1.42.4):
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.s...
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip

Patch to previous version (1.43.0):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz.s...
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

_____________________________________________________________________
   

Greetings-

With the security/maintenance release of MediaWiki 1.39.9/1.41.3/1.42.2, we
would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:

PageTriage
+ (T366991, CVE-2024-47848) - User can review/unreview articles while
blocked
https://gerrit.wikimedia.org/r/q/I0288a715f7040a14ab7f70b2888fe1ef77a44588

CSS
+ (T368594, CVE-2024-47845) - CSS sanitizer used incorrectly
https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53

Widgets
+ (T370022, CVE-2024-35226) - smarty library version has CVE
https://gerrit.wikimedia.org/r/q/I18f161c338f8c52477a766524c255a31879d5e63

Cargo
+ (T370632, CVE-2024-47849) - Backticks can allow the usage of not-allowed
SQL functions
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963

Cargo
+ (T372209, CVE-2024-47846) - Special:DeleteCargoTable and
Special:SwitchCargoTable have no CSRF protection
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723

Cargo
+ (T372211, CVE-2024-47847) - Various XSSes found in Cargo
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063804
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063806
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063827
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063831

Apex
+ (T370081, CVE-2024-47840) - Stored XSS through sidebar
https://gerrit.wikimedia.org/r/q/Id9093783051c3f8e6dcb5dc89f9493a5f5cf7bd7

CSS
+ (T369486, CVE-2024-47841) - Path traversal when loading stylesheets
https://gerrit.wikimedia.org/r/q/I46613d8d50fc978bdac58e2b312ee03324c1edc8

DataTransfer
+ (T375358, CVE-2024-45048, CVE-2024-45046) - vulnerable version of
`phpoffice/phpspreadsheet`
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1074761

The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].

[1] https://phabricator.wikimedia.org/T368628
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs

_____________________________________________________________________
    
Hello -

One small correction regarding the recent MediaWiki Extensions and Skins
Security Release Supplement announcement emails - within their email
subject and the first paragraph of the announcement, it was stated that
these releases were for MediaWiki versions 1.39.9, 1.41.3 and 1.42.2. This
is incorrect.  The correct versions for this release are 1.39.12, 1.42.6
and 1.43.1 per the now-public security release task [0].  We apologize for
this error.

[0] https://phabricator.wikimedia.org/T382326

-- 
Scott Bassett
sbassett@wikimedia.org

    
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================