In July 2020, vulnerabilities that allowed for remote code execution
were discovered within the Score extension , which primarily uses
LilyPond  to provide musical scores on-wiki. Futher investgation
found more vulnerabilities within LilyPond and firejail.
We are now publishing a security advisory for the Score extension with
information about the discovered vulnerabilities and information
regarding how to secure Score using Shellbox . Please refer to that
for information on how to set up the Score extension in a secure manner.
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
This will resolve 1 minor issue in MediaWiki core and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in
June 2021. 1.35 (the new LTS) is supported until September 2023. However,
to try and meet our LTS-LTS overlap commitments (1.35 was late due to
COVID), 1.31 will get best-efforts extra support until the end of September
2021. Practically, this will mean 1.31 is only tested on PHP 7.2, removing
the burden of testing on PHP 7.0 and 7.1 which both became EOL in 2019.
This will also mean 1.31 is eligible for one final security release in late
September 2021 before formally becoming EOL.
I wanted to send a heads-up to various places that MediaWiki 1.31, the
legacy LTS release, will be End-of-Life as of next month, June 2021.
There will be a final release to follow-on from the current latest version
1.31.14 coming out soon, but it may have slipped people's mind that this
deadline is approaching so swiftly.
System administrators still using 1.31 are encouraged to start their
migration to the current LTS release, 1.35. MediaWiki 1.35, released in
September 2020, will be supported until September 2023. If you don't
require LTS support, you will be able to upgrade to 1.36 which will be
supported till May 2022 once it is released, before the end of the month.
As always, please be mindful of the upgrade instructions, especially
including making a back-up of your database, and testing extension