MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

1 participants
305 discussions

MediaWiki Extensions and Skins Security Release Supplement (1.35.8/1.37.5/1.38.3)

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.35.8/1.37.5/1.38.3, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: OAuth + (T308861 <https://phabricator.wikimedia.org/T308861>, CVE-2022-39191) - OAuth debug log includes consumer secrets https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/839460/ GrowthExperiments + (T313205 <https://phabricator.wikimedia.org/T313205>, CVE-2022-39194) - Growth's Community configuration makes it possible for rogue admin to take down a site https://gerrit.wikimedia.org/r/q/I9b3766a71ee403b3a72c8af995e70c3017abe12e IPInfo + (T310763 <https://phabricator.wikimedia.org/T310763>, CVE-2022-39192) - IP Info tool shows whether an IP is autoblocked, potentially allowing unmasking of users by correlation https://gerrit.wikimedia.org/r/q/Ib1fdac6b2db70fc33f6d9e9f3e9108b6d65961b4 PageTriage + (T314245 <https://phabricator.wikimedia.org/T314245>, CVE-2022-41344) - Someone with patrol user right can mark own article as reviewed if they use api.php?action=pagetriageaction https://gerrit.wikimedia.org/r/q/I9a3c9dafc634c59d7dbf1d6d62da389046a0e22e OAuth + (T312820 <https://phabricator.wikimedia.org/T312820>, CVE-2022-41346) - Special:OAuth/rest_redirect does unrestricted redirects https://gerrit.wikimedia.org/r/q/I789fb7384d89fbf42df22dc7b1953fb9087d95b1 Translate + (T302479 <https://phabricator.wikimedia.org/T302479>, CVE-2022-41345) - Blocked users with "translation administrator" right are able to mark pages for translation https://gerrit.wikimedia.org/r/q/Ic206021 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://w.wiki/5nN3 [1] https://phabricator.wikimedia.org/T311785 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

2 hours, 48 minutes

Maintenance release: MediaWiki 1.37.6 and 1.38.4

by Sam Reed

I would like to announce the availability of MediaWiki 1.37.6 and 1.38.4. This fixes an issue identified in the MediaWiki 1.37.5 and 1.38.3 releases. The patch for T307278 was incorrectly back-ported, which would result in an error when rollbacks happened. To try and reduce the likelihood of this happening again in future, I have filed <https://phabricator.wikimedia.org/T318976> which when resolved will mean we're running both PHPCS and Phan proactively as part of the release and tarballing process. As a reminder, 1.37 is due to become end of life (EOL) in November 2022. 1.37.6 is expected to be the last release for this branch. It is recommended to upgrade to 1.38, or to 1.39 (the next LTS after 1.35) due to be released in November 2022. ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.4.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.4.zip Patch to previous version (1.38.3): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.4.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.4.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.4.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.6.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.6.zip Patch to previous version (1.37.5): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.6.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.6.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.6.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

6 days, 23 hours

Security and maintenance release: 1.35.8 / 1.37.4 / 1.38.3

by Sam Reed

1 week

Security pre-release announcement: 1.35.8 / 1.37.5 / 1.38.3

by Sam Reed

Hi all, On Thursday we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.35.8 - 1.37.5 - 1.38.3 This will resolve three low priority issues in MediaWiki core along with bug fixes included for maintenance reasons. This includes various patches for PHP 8.0 and PHP 8.1 support. We will make the fixes available in the respective release branches (plus 1.39 which is currently in release candidate status) and master in git. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later. As a reminder, 1.37 is due to become end of life (EOL) in November 2022. 1.37.5 is expected to be the last release for this branch. It is recommended to upgrade to 1.38, or to 1.39 (the next LTS after 1.35) due to be released in November 2022. [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 week

MediaWiki 1.39.0-rc.0 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.39.0-rc.0, the first release candidate for 1.39.0, the next LTS after MediaWiki 1.35. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1850 commits since 1.38.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.39-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.39 will become final in November 2022, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 https://www.mediawiki.org/wiki/Release_notes/1.39 Open Bugs: [1] https://phabricator.wikimedia.org/tag/mw-1.39-release/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.39-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.0-rc.0.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.0-rc.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.0-rc.0.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.0-rc.0.zi… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.38.0-rc.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.38.0-rc.0.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 week, 5 days

Maintenance release: MediaWiki 1.37.4

by Sam Reed

I would like to announce the availability of MediaWiki 1.37.4. This primarily fixes an issue identified in the MediaWiki 1.37.3 release. The incorrect version of guzzlehttp/guzzle was included in the tarball (and git repo) vendor, meaning that update.php would not run successfully. It also includes some minor backported fixes for PHP 8.1 support, which would reduce log spam when logging was enabled. These fixes will be included in later point releases for 1.35 and 1.38. === Changes since MediaWiki 1.37.3 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor. * (T296435, T297669) cache: Add four fields to LinkCache::getSelectFields. ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.4.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.4.zip Patch to previous version (1.37.3): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.4.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.4.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.4.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

3 months

MediaWiki Extensions and Skins Security Release Supplement, 1.35.7/1.37.3/1.38.2

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.35.7/1.37.3/1.38.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == Create Redirect == + (T306174, CVE-2022-29547) - add to extension supplement for CreateRedirect Auth issues https://gerrit.wikimedia.org/r/q/I7b2069128b917aa1231ae4f9179557d696fdcae0 == Private Domains == + (T306290, CVE-2022-29903) - No anti-CSRF token in the edit form https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/7834… == Semantic Drilldown == + (T306463, CVE-2022-29904) - SQL injection https://gerrit.wikimedia.org/r/q/I99359ecb7c5c44acb1e3f43cbb41ba200067dca0 == Nimbus == + (T306815, CVE-2022-29907) - XSS via the "Advertise" link interface messages https://gerrit.wikimedia.org/r/c/mediawiki/skins/Nimbus/+/786959 == FanBoxes == + (T306741, CVE-2022-29905) - Classic CSRF in Special:UserBoxes https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FanBoxes/+/786327 == QuizGame == + (T302199, CVE-2022-29906) - Administrative API module lets unauthenticated requests through https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651 == RSS == + (T307028, CVE-2022-29969) - XSS in Extension:RSS when $wgRSSAllowLinkTag = true; https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RSS/+/787807 == Wikibase, WikibaseLexeme == + (T308659, CVE-2022-34750) - Validate lemma length in Special:NewLexeme(Alpha) and label/description/aliases length in Special:NewProperty https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/8092… The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://w.wiki/5QKY [1] https://phabricator.wikimedia.org/T305209 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

3 months

Security and maintenance release: 1.35.7 / 1.37.3 / 1.38.2

by Sam Reed

3 months, 1 week

Maintenance release: MediaWiki 1.38.1

by Sam Reed

I would like to announce the availability of MediaWiki 1.38.1. This fixes a couple of issues identified in the MediaWiki 1.38.0 release, and I apologise that they weren't caught in the release candidates. Thanks to all the people that reported the composer.lock issues relating to justinrainbow/json-schema not being in the bundled vendor folder. === Changes since MediaWiki 1.38.0 === * (T309860) Add justinrainbow/json-schema to vendor. * (T309933) Drop PHP 7.2 support in MediaWiki 1.38; require 7.3.19. ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.zip Patch to previous version (1.38.0): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

4 months

MediaWiki 1.36 is End of Life

by Sam Reed

As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.36 as of today, Friday June 3, 2022. This means that MediaWiki 1.36 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade either to MediaWiki 1.37, which will be supported until November 2022 or to 1.38 (released yesterday), which will be supported until June 2023. Thanks! Sam Reed [1] https://www.mediawiki.org/wiki/Version_lifecycle

4 months

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce