MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

1 participants
289 discussions

MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == Dynamic Page List 3/ DPL3 == + (T292351, CVE-2021-41118) - ReDOS in DPL3 https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHS… == CheckUser == + (T292795, CVE-2021-46150) - XSS Vulnerability in Special:CheckUserLog https://gerrit.wikimedia.org/r/q/If7cd112e627f47f9aca69b380dde1634bf55f789 == WikibaseMediaInfo == + (T293556, CVE-2021-46146) - Stored XSS via WikibaseMediaInfo caption fields https://gerrit.wikimedia.org/r/q/I58d37fb59f998f5bec4a018bf9da96a777f8ff78 == UniversalLanguageSelector == + (T293749, CVE-2021-46149) - /w/api.php?action=languagesearch denial of service https://gerrit.wikimedia.org/r/q/Ide32704cca578b9aecbce34bdcc0ac25c2a09a4d == SecurePoll == + (T290808, CVE-2021-46148) - Users with no NDA can access confidential information https://gerrit.wikimedia.org/r/q/Ic7510be487a1bf9215de9ae6cf4a26fad96384c9 == Wikibase == + (T294693, CVE-2021-45473) - XSS on page information Wikibase central description https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d == FileImporter == + (T296605, CVE-2021-45474) - XSS in Special:ImportFile URL https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e == EntitySchema == + (T296578, CVE-2021-45471) - Globally blocked IPs can edit EntitySchema items https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9, https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c == Wikibase == + (T297570, CVE-2021-45472) - XSS in Wikibase using formatter URL https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. Note: The SecurePoll Extension had other enhancements that were related to the security bug [4] but did not address the security concerns directly. See Phabricator [5] for more information. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T292236 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [4] https://phabricator.wikimedia.org/T290808 [5] https://phabricator.wikimedia.org/T277353

1 week, 5 days

Security and maintenance release: 1.35.5 / 1.36.3 / 1.37.1

by Sam Reed

1 month, 1 week

Security pre-release announcement: 1.35.5 / 1.36.3 / 1.37.1

by Sam Reed

Hi all, On Wednesday we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.35.5 - 1.36.3 - 1.37.1 This release includes fixes for multiple high severity authorization bypasses in MediaWiki core, it is recommended you patch immediately. A short LocalSettings.php configuration snippet will also be shared to disable the vulnerable functionality if you are unable to patch right away. This snippet should work across all vulnerable MediaWiki versions, including end-of-life ones. In addition to that, this will resolve other issues in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. It also fixes 2 issues in MediaWiki tarball bundled extensions. We will make the fixes available in these respective release branches and master. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later.

1 month, 1 week

Announcing MediaWiki 1.37.0

by Sam Reed

I am happy to announce the availability of the general release of MediaWiki 1.37! Tarballs have already been uploaded, and the git tag has been pushed. Please note that MediaWiki 1.37 (as did 1.36) now requires the PHP internationalization extension, commonly referred to as Intl, ext-intl, or php-intl. As a reminder, 1.31 (the old LTS) became end of life in September 2021. 1.35 (the new LTS) is supported until September 2023. Note that the patches in comparison rc.2 are much larger than usual due to the re-introduction of translation backports. This only includes updates for MediaWiki core and bundled skins. Extension updates will follow in the next point release (along with further updates for MediaWiki core and the bundled skins). MediaWiki 1.37 will be supported until November 2022. MediaWiki 1.38 is due to be released in May 2022. === Changes since MediaWiki 1.37.0-rc.2 === * Remove justinrainbow/json-schema from vendor. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * (T281972) UserIdentityValue: Correct @since tags. * Updated wikimedia/parsoid from v0.14.0-a19 to v0.14.0. * Localisation updates. * Tweak error message for missing composer dependencies. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0.zip Patch to previous version (1.37.0-rc.2): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html Release Notes https://www.mediawiki.org/wiki/Release_notes/1.37

2 months

MediaWiki 1.37.0-rc.2 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.37.0-rc.2, the second release candidate for 1.37.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1700 commits since 1.36.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.37-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that this will be the final release candidate, and that MediaWiki 1.37 will become final in late November 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_37/RELEASE-NOTES-1.37 https://www.mediawiki.org/wiki/Release_notes/1.37 Changes since 1.37.0-rc.1: * (T295173) Re-add wikimedia/normalized-exception to vendor. * Remove wikimedia/testing-access-wrapper, psr/simple-cache, psr/http-factory from vendor. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * (T212428) Allow populateContentTables to continue when there are bad blobs. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.2.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.2.zip Patch to previous version (1.37.0-rc.1): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.patch.z… GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.2.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.2.zi… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.patch.g… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.2.patch.z… Public keys: https://www.mediawiki.org/keys/keys.html

2 months, 1 week

MediaWiki 1.37.0-rc.1 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.37.0-rc.1, the second release candidate for 1.37.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1700 commits since 1.36.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.37-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.37 will become final in late November 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_37/RELEASE-NOTES-1.37 https://www.mediawiki.org/wiki/Release_notes/1.37 Changes since 1.37.0-rc.0: * (T294043) checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763) Do not cache private wiki completion results. * (T293783) ApiQueryImageInfo: don't show empty comments as deleted. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * Remove duplicate settings from DefaultSettings. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.zip Patch to previous version (1.37.0-rc.0): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.z… GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.zi… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.g… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.z… Public keys: https://www.mediawiki.org/keys/keys.html

2 months, 2 weeks

MediaWiki 1.37.0-rc.0 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.37.0-rc.0, the first release candidate for 1.37.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1700 commits since 1.36.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.37-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.37 will become final in November 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_37/RELEASE-NOTES-1.37 https://www.mediawiki.org/wiki/Release_notes/1.37 Public keys: https://www.mediawiki.org/keys/keys.html Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.zi… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

3 months

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.16/1.35.4/1.36.2)

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.31.16/1.35.4/1.36.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == DataDump == + (T286376, CVE-2021-32774) - Potential CSRF generating dumps < https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd89… > == GlobalWatchlist == + (T286385, CVE-2021-42046) - XSS in GlobalWatchlist <https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d> <https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983> == Translate == + (T286884, CVE-2021-42049) - Oversight action not reversible in translated page <https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 > == GrowthExperiments == + (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins < https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/7… > == GrowthExperiments == + (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts <https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 > == SecurePoll == + (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS <https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578> == Growth Experiments == + (T289408, CVE-2021-42044) - Permanent XSS exploitable by wiki admins (client-side part) <https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6> == Growth Experiments == + (T290692, CVE-2021-42042) - Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig <https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f> == Loops == + (T287347, CVE-2021-42040) - Loops can cause php-fpm exhaustion <https://gerrit.wikimedia.org/r/q/I0caf6f129f94612b5bcf406a171aa5ffedea1f80> == CentralAuth == + (T291696, CVE-2021-42041) - XSS vulnerability in the 'setchange' log <https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35> == MediaSearch == + (T291600, CVE-2021-42043) - XSS on Special:MediaSearch <https://gerrit.wikimedia.org/r/q/If64eb5842237c92290d07ebc3fe14710d9de3fc2> The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T285414 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

3 months, 2 weeks

Security and maintenance release: 1.31.16 / 1.35.4 / 1.36.2

by Sam Reed

3 months, 3 weeks

MediaWiki 1.31 is End of Life

by Sam Reed

(Sorry if you have received this email already. There was an issue with Mailman yesterday, and while the email was sent to mediawiki-l and wikitech-l successfully, it seemingly never made it to the mediawiki-announce archives. Email slightly modified to suit being sent today). As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.31 as of today, Thursday September 30, 2021, coinciding with the final security and maintenance release for the branch, 1.31.16. This means that MediaWiki 1.31 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade to MediaWiki 1.35, the current Long Term Support (LTS) version which is not due to become EOL until September 2023. MediaWiki 1.35 bumps the required PHP version from 7.0 in 1.31 (which is unsupported upstream), to PHP 7.3.19 or later. Thanks! Sam Reed [1] https://www.mediawiki.org/wiki/Version_lifecycle

3 months, 3 weeks

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce