Greetings-
With the security/maintenance release of MediaWiki 1.31.8/1.33.4/1.34.2
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:
== CentralAuth ==
+ (T250594, CVE-2020-12051) - globaluserinfo api allows access to
information about hidden users
<
https://gerrit.wikimedia.org/r/#/q/I3c80641dc1202df7428714f0ca44717a51ff6021
>
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security(a)wikimedia.org
or file a security task within Phabricator [3].
[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-June/000252.h…
[1] https://phabricator.wikimedia.org/T248542
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
--
Scott Bassett
sbassett(a)wikimedia.org
As per the MediaWiki version lifecycle [1], I would like to announce the
formal end of life (EOL) of MediaWiki 1.33 as of next week, Tuesday June
30, 2020.
This means that MediaWiki 1.33 will no longer receive maintenance or
security backports (barring an unforseen issues with the 1.33.4 release
today). It is therefore strongly discouraged that you continue to use it.
It is recommended to upgrade to MediaWiki 1.34 (due to become EOL in
November 2020). The current Long Term Support (LTS) version of MediaWiki,
MediaWiki 1.31, is however older (and downgrading is not supported. The
delayed next LTS (MediaWiki 1.35) is currently due to be released in early
August 2020, and will be supported until at least June 2023.
MediaWiki 1.34 bumps the required PHP version from 7.0 in 1.33 (which is
unsupported upstream), to PHP 7.2.9 or later.
Thanks!
Sam Reed
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.34.2
- 1.33.4
- 1.31.8
This will resolve one minor issue in MediaWiki core, and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
We've noted that these issues are minor, and as such you don't need to
apply them as quickly as with other security releases, if you're unable to
do so. We therefore decided to continue with getting the security (and
maintenance) release out for this quarter as planned, even with the global
situation as is.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As per the MediaWiki Version lifecycle [1], June 2020 is the scheduled EOL
date for the REL1_33. 1.33.4 will therefore be the final release of the
MediaWiki 1.33 branch, barring any unforeseen issues.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Thanks!
Sam
On March 30, we announced that we were temporarily pushing back the release
of MediaWiki 1.35 due to uncertainty resulting from the COVID-19 pandemic.
We are now ready to begin the process of moving forward with the release.
The first step is cutting the release branch, REL1_35, which will occur on
Monday, July 13.
We will then be in "pencils down" mode: developers will stop targeting
MediaWiki 1.35 for new features. Instead, any new features would continue
to be applied to master and would target MediaWiki 1.36 or later. The only
work that would continue towards MediaWIki 1.35 would be blockers -
critical bug fixes or features close to completion that need to make it
into the release. This would happen by merging those patches into master
and then backporting them to the REL1_35 branch.
We anticipate that MediaWiki 1.35 will be released at the beginning of
August.
We appreciate your patience in these difficult times. Wishing you safety
and health,
Cindy