Version in base suite: 1.39.17-1~deb12u1

Base version: mediawiki_1.39.17-1~deb12u1
Target version: mediawiki_1.39.17-1+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mediawiki/mediawiki_1.39.17-1~deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mediawiki/mediawiki_1.39.17-1+deb12u2.dsc

 changelog                         |    7 +++
 patches/0003-CVE-2026-34092.patch |   46 ++++++++++++++++++++
 patches/0004-CVE-2026-34088.patch |   85 +++++++++++++++++++++++++++++++++++++
 patches/0005-CVE-2026-34093.patch |   86 ++++++++++++++++++++++++++++++++++++++
 patches/0006-CVE-2026-34095.patch |   59 ++++++++++++++++++++++++++
 patches/0007-CVE-2026-34087.patch |   64 ++++++++++++++++++++++++++++
 patches/series                    |    5 ++
 7 files changed, 352 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppevic1gx/mediawiki_1.39.17-1~deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppevic1gx/mediawiki_1.39.17-1+deb12u2.dsc: no acceptable signature found
diff -Nru mediawiki-1.39.17/debian/changelog mediawiki-1.39.17/debian/changelog
--- mediawiki-1.39.17/debian/changelog	2025-12-17 15:52:47.000000000 +0000
+++ mediawiki-1.39.17/debian/changelog	2026-04-10 22:06:54.000000000 +0000
@@ -1,3 +1,10 @@
+mediawiki (1:1.39.17-1+deb12u2) bookworm-security; urgency=medium
+
+  * Backport upstream patches for CVE-2026-34092, CVE-2026-34088,
+    CVE-2026-34093, CVE-2026-34095 and CVE-2026-34087.
+
+ -- Taavi Väänänen <taavi@debian.org>  Sat, 11 Apr 2026 01:06:54 +0300
+
 mediawiki (1:1.39.17-1~deb12u1) bookworm-security; urgency=medium
 
   * New upstream version 1.39.17, fixing CVE-2025-67475, CVE-2025-67477,
diff -Nru mediawiki-1.39.17/debian/patches/0003-CVE-2026-34092.patch mediawiki-1.39.17/debian/patches/0003-CVE-2026-34092.patch
--- mediawiki-1.39.17/debian/patches/0003-CVE-2026-34092.patch	1970-01-01 00:00:00.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/0003-CVE-2026-34092.patch	2026-04-08 17:55:16.000000000 +0000
@@ -0,0 +1,46 @@
+From 73921d47895991e1be810f5def4aad0b5a949043 Mon Sep 17 00:00:00 2001
+From: STran <stran@wikimedia.org>
+Date: Thu, 18 Dec 2025 08:33:14 -0800
+Subject: [PATCH] SECURITY: Ignore autoblocks when setting Skin's toolbox links
+
+CVE-2026-34092
+
+Why:
+An autoblock from a user can expose its existence by being found
+on a page with the IP as the relevant user
+
+What:
+- Only consider a target blocked if the block is not an autoblock
+
+Bug: T384147
+---
+ includes/skins/Skin.php | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/includes/skins/Skin.php b/includes/skins/Skin.php
+index 0448449c836..c335ad26044 100644
+--- a/includes/skins/Skin.php
++++ b/includes/skins/Skin.php
+@@ -20,6 +20,7 @@
+  * @file
+  */
+ 
++use MediaWiki\Block\Block;
+ use MediaWiki\HookContainer\ProtectedHookAccessorTrait;
+ use MediaWiki\MainConfigNames;
+ use MediaWiki\MediaWikiServices;
+@@ -1388,7 +1389,10 @@ abstract class Skin extends ContextSource {
+ 				$userBlock = MediaWikiServices::getInstance()
+ 				->getBlockManager()
+ 				->getUserBlock( $user, null, true );
+-				if ( $userBlock ) {
++				if (
++					$userBlock
++					&& $userBlock->getType() === Block::TYPE_AUTO
++				) {
+ 					$nav_urls['changeblockip'] = [
+ 						'href' => self::makeSpecialUrlSubpage( 'Block', $rootUser )
+ 					];
+-- 
+2.53.0
+
diff -Nru mediawiki-1.39.17/debian/patches/0004-CVE-2026-34088.patch mediawiki-1.39.17/debian/patches/0004-CVE-2026-34088.patch
--- mediawiki-1.39.17/debian/patches/0004-CVE-2026-34088.patch	1970-01-01 00:00:00.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/0004-CVE-2026-34088.patch	2026-04-08 17:55:16.000000000 +0000
@@ -0,0 +1,85 @@
+From 8706fd1af0f659951a11327b5226673f2a832c61 Mon Sep 17 00:00:00 2001
+From: Maryum Styles <mstyles@wikimedia.org>
+Date: Tue, 20 Jan 2026 17:11:30 -0500
+Subject: [PATCH] SECURITY: Remove suppressed content from log page
+
+CVE-2026-34088
+
+When certain MediaWiki log data is hidden/suppressed, it can be exposed via Special:RecentChanges's html,
+via the data-target-page attribute. This change updates data-target-attribute to show the rev-deleted-event
+message if the user does not have permissions to view the log data.
+
+Bug: T410429
+Change-Id: I252608ebf89bcf5125d0ef547381552d9f0a4c72
+---
+ includes/changes/EnhancedChangesList.php | 13 +++++++++++--
+ includes/changes/OldChangesList.php      | 11 +++++++++--
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/includes/changes/EnhancedChangesList.php b/includes/changes/EnhancedChangesList.php
+index 88a99855fe5..fa9cc4bb964 100644
+--- a/includes/changes/EnhancedChangesList.php
++++ b/includes/changes/EnhancedChangesList.php
+@@ -368,7 +368,11 @@ class EnhancedChangesList extends ChangesList {
+ 
+ 		$type = $rcObj->mAttribs['rc_type'];
+ 		$data = [];
+-		$lineParams = [ 'targetTitle' => $rcObj->getTitle() ];
++		$titleText = $rcObj->getTitle();
++		if ( !ChangesList::userCan( $rcObj, RevisionRecord::DELETED_TEXT, $this->getAuthority() ) ) {
++			$titleText = $this->msg( 'rev-deleted-event' );
++		}
++		$lineParams = [ 'targetTitle' => $titleText ];
+ 
+ 		$classes = [ 'mw-enhanced-rc' ];
+ 		if ( $rcObj->watched ) {
+@@ -726,11 +730,16 @@ class EnhancedChangesList extends ChangesList {
+ 			$line .= "\u{00A0}" . $data['timestampLink'];
+ 			unset( $data['timestampLink'] );
+ 		}
++
++		$titleText = $rcObj->getTitle();
++		if ( !ChangesList::userCan( $rcObj, RevisionRecord::DELETED_TEXT, $this->getAuthority() ) ) {
++			$titleText = $this->msg( 'rev-deleted-event' )->escaped();
++		}
+ 		$line .= "\u{00A0}</td>";
+ 		$line .= Html::openElement( 'td', [
+ 			'class' => 'mw-changeslist-line-inner',
+ 			// Used for reliable determination of the affiliated page
+-			'data-target-page' => $rcObj->getTitle(),
++			'data-target-page' => $titleText,
+ 		] );
+ 
+ 		// everything else: makes it easier for extensions to add or remove data
+diff --git a/includes/changes/OldChangesList.php b/includes/changes/OldChangesList.php
+index f918c64aeea..f513e24fe5b 100644
+--- a/includes/changes/OldChangesList.php
++++ b/includes/changes/OldChangesList.php
+@@ -22,6 +22,7 @@
+ 
+ use MediaWiki\MainConfigNames;
+ use MediaWiki\MediaWikiServices;
++use MediaWiki\Revision\RevisionRecord;
+ 
+ class OldChangesList extends ChangesList {
+ 
+@@ -149,9 +150,15 @@ class OldChangesList extends ChangesList {
+ 			$html .= ' ' . $this->numberofWatchingusers( $rc->numberofWatchingusers );
+ 		}
+ 
++		$titleText = $rc->getTitle();
++		if ( !ChangesList::userCan( $rc, RevisionRecord::DELETED_TEXT, $this->getAuthority() ) ) {
++			$titleText = $this->msg( 'rev-deleted-event' )->escaped();
++		}
++
++		// @phan-suppress-next-line SecurityCheck-DoubleEscaped
+ 		$html = Html::rawElement( 'span', [
+ 			'class' => 'mw-changeslist-line-inner',
+-			'data-target-page' => $rc->getTitle(), // Used for reliable determination of the affiliated page
++			'data-target-page' => $titleText, // Used for reliable determination of the affiliated page
+ 		], $html );
+ 		if ( is_callable( $this->changeLinePrefixer ) ) {
+ 			$prefix = call_user_func( $this->changeLinePrefixer, $rc, $this, false );
+-- 
+2.53.0
+
diff -Nru mediawiki-1.39.17/debian/patches/0005-CVE-2026-34093.patch mediawiki-1.39.17/debian/patches/0005-CVE-2026-34093.patch
--- mediawiki-1.39.17/debian/patches/0005-CVE-2026-34093.patch	1970-01-01 00:00:00.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/0005-CVE-2026-34093.patch	2026-04-10 21:58:34.000000000 +0000
@@ -0,0 +1,86 @@
+From cc523adb303d917aef4ee0b3aa667c376d26c618 Mon Sep 17 00:00:00 2001
+From: Marcin Szwarc <mszwarc@wikimedia.org>
+Date: Wed, 14 Jan 2026 11:44:26 +0100
+Subject: [PATCH] SECURITY: Restrict access to interwiki user groups on
+ S:UserRights
+
+CVE-2026-34093
+
+Why:
+* Special:UserRights could be used to enumerate users on private
+  wikis, even if performer has no special permissions.
+
+What:
+* If performer has no `userrights-interwiki` permission, redirect them
+  to the remote wiki for viewing permissions there.
+
+Bug: T414547
+Change-Id: Ib2dda03bedf86506afa83e6ae681ec632f8c965e
+---
+ includes/specials/SpecialUserrights.php | 43 +++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/includes/specials/SpecialUserrights.php b/includes/specials/SpecialUserrights.php
+index fe4a9312cdc..f973e716d8d 100644
+--- a/includes/specials/SpecialUserrights.php
++++ b/includes/specials/SpecialUserrights.php
+@@ -186,6 +186,13 @@ class UserrightsPage extends SpecialPage {
+ 
+ 		$this->switchForm();
+ 
++		if ( $this->mTarget !== null && !$this->getAuthority()->isAllowed( 'userrights-interwiki' ) ) {
++			$isRedirected = $this->redirectIfRemoteWikiForView( $this->mTarget );
++			if ( $isRedirected ) {
++				return;
++			}
++		}
++
+ 		if (
+ 			$request->wasPosted() &&
+ 			$request->getCheck( 'saveusergroups' ) &&
+@@ -261,6 +268,42 @@ class UserrightsPage extends SpecialPage {
+ 		}
+ 	}
+ 
++	/**
++	 * If the special page is used for an interwiki user and the performer
++	 * has no userrights-interwiki permission, redirect them to the remote wiki,
++	 * instead of displaying the groups.
++	 *
++	 * This helps with appropriate listing of implicit groups and ensures that
++	 * the performer has read access to the remote wiki.
++	 *
++	 * Returns a boolean value, indicating whether the redirect occurred.
++	 */
++	private function redirectIfRemoteWikiForView( string $target ): bool {
++		$interwikiDelimiter = $this->getConfig()->get( MainConfigNames::UserrightsInterwikiDelimiter );
++		if ( !str_contains( $target, $interwikiDelimiter ) ) {
++			return false;
++		}
++
++		$targetParts = explode( $interwikiDelimiter, $target );
++		[ $user, $remoteWikiId ] = $targetParts;
++
++		if ( WikiMap::isCurrentWikiId( $remoteWikiId ) ) {
++			// No need for redirect
++			return false;
++		}
++
++		$remoteWiki = WikiMap::getWiki( $remoteWikiId );
++		if ( !$remoteWiki ) {
++			// Nowhere to redirect to
++			return false;
++		}
++
++		$remoteUrl = $remoteWiki->getUrl( 'Special:UserRights' );
++		$remoteUrl = wfAppendQuery( $remoteUrl, [ 'user' => $user ] );
++		$this->getOutput()->redirect( $remoteUrl );
++		return true;
++	}
++
+ 	private function getSuccessURL() {
+ 		return $this->getPageTitle( $this->mTarget )->getFullURL();
+ 	}
+-- 
+2.53.0
+
diff -Nru mediawiki-1.39.17/debian/patches/0006-CVE-2026-34095.patch mediawiki-1.39.17/debian/patches/0006-CVE-2026-34095.patch
--- mediawiki-1.39.17/debian/patches/0006-CVE-2026-34095.patch	1970-01-01 00:00:00.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/0006-CVE-2026-34095.patch	2026-04-10 22:06:12.000000000 +0000
@@ -0,0 +1,59 @@
+From e615a54668bd81294ed3300758dada63ee50d1f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Taavi=20V=C3=A4=C3=A4n=C3=A4nen?= <taavi@wikimedia.org>
+Date: Fri, 6 Mar 2026 12:41:52 +0200
+Subject: [PATCH] SECURITY: Actions: Make headers set after redirect actually
+ apply
+
+CVE-2026-34095
+
+If a special page redirect is done, the Request object in the context is
+set to a DerivativeRequest, which extends from FauxRequest and thus
+returns a FauxResponse from WebRequest::response().
+
+This patch updates the actions entry point to copy any headers set in
+that FauxResponse object to be applied to the real response object, to
+make sure that e.g. the correct Content-Type is set for redirected
+action=raw requests.
+
+Bug: T419192
+Change-Id: I04ec931bc8997383bf837738a3968bfd8a044858
+---
+ includes/FauxResponse.php |  5 +++++
+ includes/MediaWiki.php    | 11 +++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/includes/FauxResponse.php
++++ b/includes/FauxResponse.php
+@@ -82,6 +82,11 @@
+ 		return $this->headers[$key] ?? null;
+ 	}
+ 
++	/** @return string[] All set headers */
++	public function getHeaders(): array {
++		return $this->headers ?? [];
++	}
++
+ 	/**
+ 	 * Get the HTTP response code, null if not set
+ 	 *
+--- a/includes/MediaWiki.php
++++ b/includes/MediaWiki.php
+@@ -327,6 +327,18 @@
+ 						. " returned neither an object nor a URL" );
+ 				}
+ 			}
++
++			$contextRequest = $this->context->getRequest();
++			if ( $contextRequest instanceof FauxRequest ) {
++				$fauxResponse = $contextRequest->response();
++				if ( $fauxResponse->getStatusCode() ) {
++					$request->response()->statusHeader( $fauxResponse->getStatusCode() );
++				}
++				foreach ( $fauxResponse->getHeaders() as $key => $value ) {
++					$request->response()->header( "$key: $value" );
++				}
++			}
++
+ 			$output->considerCacheSettingsFinal();
+ 		}
+ 	}
diff -Nru mediawiki-1.39.17/debian/patches/0007-CVE-2026-34087.patch mediawiki-1.39.17/debian/patches/0007-CVE-2026-34087.patch
--- mediawiki-1.39.17/debian/patches/0007-CVE-2026-34087.patch	1970-01-01 00:00:00.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/0007-CVE-2026-34087.patch	2026-04-08 17:55:16.000000000 +0000
@@ -0,0 +1,64 @@
+From 34c82a68b319819fbd0080e2393511d22a8bcc2e Mon Sep 17 00:00:00 2001
+From: Roan Kattouw <roan.kattouw@gmail.com>
+Date: Thu, 22 Jan 2026 17:00:32 -0800
+Subject: [PATCH] SECURITY: Don't leak user's lack of 2FA to other users
+
+CVE-2026-34087
+
+There are some ways that the onUserEffectiveGroups hook can be called
+fro a user who is not the currently logged-in user, for example through
+the action=query&list=users API. If a user is in a restricted group that
+requires 2FA, but doesn't have 2FA enabled, this fact is leaked through
+this API and other channels.
+
+To fix this infromation leak, don't modify the user's effective groups
+unless the user in question is the user who is logged in. This means
+that a user who is a member of a 2FA-requiring group but doesn't have
+2FA won't be treated as a member of that group when they are logged in
+(and won't be able to take actions restricted to that group), but if
+another user asks, we will pretend that the user is in that group.
+
+In particular, this means that users who are in a 2FA-requiring group
+but don't have 2FA will still get the group JS and CSS for that group,
+because load.php is a session-less endpoint.
+
+Bug: T412061
+Change-Id: Ic74f654385b8e43aba10cd7266649213740b6b81
+---
+ extensions/OATHAuth/src/Hook/HookHandler.php | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/extensions/OATHAuth/src/Hook/HookHandler.php b/extensions/OATHAuth/src/Hook/HookHandler.php
+index d3ae0585..9e634bf3 100644
+--- a/extensions/OATHAuth/src/Hook/HookHandler.php
++++ b/extensions/OATHAuth/src/Hook/HookHandler.php
+@@ -2,6 +2,7 @@
+ 
+ namespace MediaWiki\Extension\OATHAuth\Hook;
+ 
++use BadMethodCallException;
+ use Config;
+ use MediaWiki\Auth\AuthenticationRequest;
+ use MediaWiki\Extension\OATHAuth\OATHAuth;
+@@ -199,6 +200,18 @@ class HookHandler implements
+ 	 * @param string[] &$groups Current effective groups
+ 	 */
+ 	public function onUserEffectiveGroups( $user, &$groups ) {
++		// If the user has 2FA disabled, don't leak that information to other users (T412061)
++		try {
++			if ( !$user->equals( RequestContext::getMain()->getUser() ) ) {
++				return;
++			}
++		} catch ( BadMethodCallException $_ ) {
++			// If we got this exception, it means we are in a session-less entry point.
++			// Treat this as if the current user is not the same as $user, and don't expose
++			// $user's potential lack of 2FA
++			return;
++		}
++
+ 		$disabledGroups = $this->getDisabledGroups( $user, $groups );
+ 		if ( $disabledGroups ) {
+ 			$groups = array_diff( $groups, $disabledGroups );
+-- 
+2.53.0
+
diff -Nru mediawiki-1.39.17/debian/patches/series mediawiki-1.39.17/debian/patches/series
--- mediawiki-1.39.17/debian/patches/series	2025-12-16 20:25:38.000000000 +0000
+++ mediawiki-1.39.17/debian/patches/series	2026-04-08 17:55:16.000000000 +0000
@@ -1,2 +1,7 @@
 0001-Have-Scribunto-use-packaged-lua5.1-rather-than-bundl.patch
 0002-Have-SyntaxHighlight-use-packaged-pygmentize-rather-.patch
+0003-CVE-2026-34092.patch
+0004-CVE-2026-34088.patch
+0005-CVE-2026-34093.patch
+0006-CVE-2026-34095.patch
+0007-CVE-2026-34087.patch