I tried to match the sponsored patch with the upstream commits, and it's very confusing. I'm not sure I would have sponsored that as-is, at least not without further explanations.
The upstream security announcement[1] lists 5 CVEs, with 5 associated upstream bugs, but the patch in the sponsored package only mentions CVE-44854. Furthermore, the patch mentions that CVE together with upstream bug T297322[2], but the same CVE is also associated with another upstream bug T292763[3], which seems to have a different patch. I.e., are there fixes missing? What about these?
I tried to match the sponsored patch with the upstream commits, and it's very confusing. I'm not sure I would have sponsored that as-is, at least not without further explanations.
The upstream security announcement[1] lists 5 CVEs, with 5 associated upstream bugs, but the patch in the sponsored package only mentions CVE-44854. Furthermore, the patch mentions that CVE together with upstream bug T297322[2], but the same CVE is also associated with another upstream bug T292763[3], which seems to have a different patch. I.e., are there fixes missing? What about these?
* https:/ /phabricator. wikimedia. org/T294686 /phabricator. wikimedia. org/T293589 /phabricator. wikimedia. org/T271037
* https:/
* https:/
1. https:/ /www.mediawiki. org/wiki/ 2021-12_ security_ release/ FAQ /phabricator. wikimedia. org/T297322 /phabricator. wikimedia. org/T292763
2. https:/
3. https:/