MediaWiki-announce November 2016

mediawiki-announce@lists.wikimedia.org

3 participants
5 discussions

MediaWiki 1.28 now available!
by Chad Horohoe 28 Nov '16

28 Nov '16

Hello everyone, I am happy to announce the availability the general release of MediaWiki 1.28! MediaWiki 1.28 includes all changes released in the smaller 1.28.0-wmf.* software deployments to Wikimedia sites over six months, totaling approximately 2100 commits by around 120 authors. This is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users and administrators: * https://www.mediawiki.org/wiki/MediaWiki_1.28 You can always consult the RELEASE-NOTES-1.28 file for the full list of changes in this version. Full release notes: * https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES… * https://www.mediawiki.org/wiki/Release_notes/1.28 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0.tar.gz https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.0.tar.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.0.tar.gz.… Public keys: https://www.mediawiki.org/keys/keys.html -Chad

1 1

1.26 EOL announcement
by Chad Horohoe 28 Nov '16

28 Nov '16

Hi, With the release of MediaWiki 1.28, the lifetime of MediaWiki version 1.26.x has come to an end. Users still using MediaWiki 1.26.x are advised to upgrade to version 1.28.0, the latest stable version. -Chad

1 0

Second release candidate for 1.28 (1.28.0-rc.1)
by Chad Horohoe 16 Nov '16

16 Nov '16

Hiya! I am happy to announce the availability of the second release candidate of the new MediaWiki 1.28 series! Sorry for the delay, it should've been out last week. Other things got in the way. There's not been a lot of churn on 1.28-related stuff, so I still anticipate doing the final release next week. That means, barring any blockers, there won't be an RC2. Full release notes: * https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES… * https://www.mediawiki.org/wiki/Release_notes/1.28 Known issues and final release blockers can be found in Phabricator: https://phabricator.wikimedia.org/project/board/1982/ -- Chad ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.1.tar.gz https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.1.patch.gz https://releases.wikimedia.org/mediawiki/1.28/mediawiki-i18n-1.28.0-rc.1.pa… GPG signatures: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.1.patch.g… https://releases.wikimedia.org/mediawiki/1.28/mediawiki-i18n-1.28.0-rc.1.pa… Public keys: https://www.mediawiki.org/keys/keys.html

1 0

First release candidate for 1.28 (1.28.0-rc.0)
by Tyler Cipriani 02 Nov '16

02 Nov '16

Hi all! I am pleased to announce that the first release candidate for MediaWiki 1.28 is now available. Full release notes: * https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES… * https://www.mediawiki.org/wiki/Release_notes/1.28 Known issues and final release blockers can be found in Phabricator: https://phabricator.wikimedia.org/project/board/1982/ -- Tyler ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.0.tar.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.0-rc.0.tar.gz.… Public keys: https://www.mediawiki.org/keys/keys.html

1 0

Parsoid Security Update and Release
by Subramanya Sastry 01 Nov '16

01 Nov '16

The parsing team has fixed a security bug in Parsoid [1]. * Users could send invalid prefixes, formats, or domains and run javascript code on the error page that Parsoid displayed. * This fix has been applied to the Wikimedia cluster [2] and also merged into Parsoid master [1]. * We have also released a 0.5.3 deb version with this patch applied. [3] * We have also released a 0.5.3 npm version of Parsoid. [4] * Parsoid is a stateless service and doesn't retain any state between requests. In private wikis, VisualEditor can be configured to forward the user cookie to Parsoid to pass along to the MediaWiki API to parse a page, but this exploit is not exposed through VE. In addition, Parsoid doesn't receive any user credentials on public wikis. * However, if a wiki's Parsoid service is publicly accessible on the internet *and* is accessible through the wiki's domain, then, this exploit can be used to leak user cookies for that wiki. For all wikis that use Parsoid in this fashion, we recommend they patch their Parsoid installation immediately. * On the Wikimedia cluster, Parsoid is proxied behind RESTBase and is not public accessible and as such, this exploit wasn't available for an exploit to steal user sessions. Thanks to the reporter of this exploit, Darian Patrick from the Security Team, Arlo Breault from the Parsing Team, Daniel Zahn and others from Ops for their assistance handling this bug and preparing this release. Subramanya Sastry, Technical Lead and Manager, Parsing Team, Wikimedia Foundation. [1] https://gerrit.wikimedia.org/r/#/c/319115 [2] https://www.mediawiki.org/wiki/Parsoid/Deployments#Monday.2C_October_31.2C_… [3] https://releases.wikimedia.org/debian/pool/main/p/parsoid/ [4] https://www.npmjs.com/package/parsoid

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce November 2016