Mailing List Archive

Extension Security Release: OAuth, Echo, PageTriage
Hi all,

In addition to the security release for MediaWiki core earlier today, I'd
like to announce
security fixes available for the following 3 extensions:

* Extension:PageTriage - MediaWiki user Grunny discovered a DOM-based XSS in
the way the extension handled page titles.
<https://phabricator.wikimedia.org/T111029>

* Extension:Echo - Internal review discovered that Echo could display
deleted
or suppressed usernames when the username was previously used to Thank
users.
<https://phabricator.wikimedia.org/T110553>

* Extension:OAuth - Wikipedia user Sitic discovered that the OAuth extension
did not correctly enforce the IP restrictions of a Consumer when using
previously negotiated credentials.
<https://phabricator.wikimedia.org/T103022>

* Extension:OAuth - Wikipedia user Sitic discovered that OAuth would accept
a
valid signature from any Consumer when checking the authorization signature.
This allowed a registered Consumer who gained access to another Consumer's
users access tokens and secrets to use those credentials.
<https://phabricator.wikimedia.org/T103023>

**********************************************************************
Extension:PageTriage
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:PageTriage

**********************************************************************
Extension:Echo
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:Echo

**********************************************************************
Extension:OAuth
**********************************************************************
Information and Download:
https://www.mediawiki.org/wiki/Extension:OAuth


None of these extensions are bundled but they are in use on Wikimedia sites
hence
the announcement. Fixes are in all supported branches in Git and are thus
available
from ExtensionDistributor.

-Chad
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce