MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

1 participants
297 discussions

by Sam Reed

I would like to announce the availability of MediaWiki 1.38.1. This fixes a couple of issues identified in the MediaWiki 1.38.0 release, and I apologise that they weren't caught in the release candidates. Thanks to all the people that reported the composer.lock issues relating to justinrainbow/json-schema not being in the bundled vendor folder. === Changes since MediaWiki 1.38.0 === * (T309860) Add justinrainbow/json-schema to vendor. * (T309933) Drop PHP 7.2 support in MediaWiki 1.38; require 7.3.19. ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.zip Patch to previous version (1.38.0): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.1.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

2 weeks, 6 days

MediaWiki 1.36 is End of Life

by Sam Reed

As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.36 as of today, Friday June 3, 2022. This means that MediaWiki 1.36 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade either to MediaWiki 1.37, which will be supported until November 2022 or to 1.38 (released yesterday), which will be supported until June 2023. Thanks! Sam Reed [1] https://www.mediawiki.org/wiki/Version_lifecycle

3 weeks, 2 days

Announcing MediaWiki 1.38.0

by Sam Reed

I am happy to announce the availability of the general release of MediaWiki 1.38! Tarballs have already been uploaded, and the git tag has been pushed. MediaWiki 1.38 will be supported until June 2023. MediaWiki 1.39, the next LTS, is due to be released in November 2022. === Changes since MediaWiki 1.38.0-rc.1 === * Localisation updates. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T305779) phpunit: Support setting skin context in BundleSizeTest subclasses. * (T309028) SECURITY: ApiEditPage: update title after redirects. * (T308967) notifications: prevent log spam when invalid user object listed. * composer: Lock Parsoid version to specific 0.15.0 release. * (T306362, T308680) change-your-logo.svg: Resize to 135px square, re-crush, and manually minify. Open Bugs: [1] https://phabricator.wikimedia.org/tag/mw-1.38-release/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=mw-1.38-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0.zip Patch to previous version (1.38.0-rc.1): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html Release Notes https://www.mediawiki.org/wiki/Release_notes/1.38

3 weeks, 2 days

MediaWiki 1.38.0-rc.1 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.38.0-rc.1, the second release candidate for 1.38.0. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1500 commits since 1.37.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.38-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.38 will become final in May 2022, though the date may slip if blockers are identified. Changes since MediaWiki 1.38.0-rc.0: * Localisation updates. * (T305028) Undeprecate EditPage::$textbox2. * (T305635) LogActions is a map, not a list. * (T306721) Add wikimedia/equivset to vendor; needed by bundled AbuseFilter. * (T307284) Simplify TransactionManager::pendingWriteQueryDuration. * (T307307) Add symfony/yaml to vendor. * Fix old_name in UserLogoutComplete hook. * REST: don't send stack trace in error responses. * (T307998) SessionManager: stop storing an ObjectFactory instance. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_38/RELEASE-NOTES-1.38 https://www.mediawiki.org/wiki/Release_notes/1.38 Open Bugs: [1] https://phabricator.wikimedia.org/tag/mw-1.38-release/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.38-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.1.zip Patch to previous version (1.38.0-rc.0): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.patch.z… GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.1.zi… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.patch.g… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.1.patch.z… Public keys: https://www.mediawiki.org/keys/keys.html

1 month

MediaWiki 1.38.0-rc.0 is ready for testing

by Sam Reed

I'm pleased to announce the immediate availability of MediaWiki 1.38.0-rc.0, the first release candidate for 1.38.0. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1500 commits since 1.37.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.38-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.38 will become final in May 2022, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_38/RELEASE-NOTES-1.38 https://www.mediawiki.org/wiki/Release_notes/1.38 Open Bugs: [1] https://phabricator.wikimedia.org/tag/mw-1.38-release/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.38-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.0.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.0.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.0-rc.0.zi… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.0-rc.0.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

2 months, 1 week

MediaWiki Extensions and Skins Security Release Supplement (1.35.6/1.36.4/1.37.2)

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.35.6/1.36.4/1.37.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == Echo == + (T285116, CVE-2022-28324) - Echo does not set X-Forwarded-For for internal API requests, some of which get logged to CU https://gerrit.wikimedia.org/r/q/I0551fe64042676f8a2b35afb82a3b4e9c09ea673 == GrowthExperiments == + (T298019, CVE-2022-28326) - i18n XSS in GrowthExperiments suggested edits pager https://gerrit.wikimedia.org/r/q/Iadc224a038ef0cec072cc1d6b84277355648f9f9 == MobileFrontend == + (T298581, CVE-2022-28325) - Mobile version of Special:Contributions leaks existence of globally suppressed users https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038 == SecurePoll == + (T298434, CVE-2022-28323) - SecurePoll leaks voter's exact vote timestamp https://gerrit.wikimedia.org/r/q/I4dbb315226af267d43154d1a5a5c4635d68d1038 == FileImporter == + (T294256, CVE-2022-28206) - FileImporter allows imports to cascade protected files when the importer does not have administrator permissions https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/757022 == GrowthExperiments == + (T298312, CVE-2022-28207) - Special:Impact leaks suppressed usernames https://gerrit.wikimedia.org/r/q/mediawiki/extensions/GrowthExperiments/+/7… == CentralAuth == + (T302248, CVE-2022-28205) - CentralAuth expiring global groups do not expire https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765336 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/765335 == Wikibase == + (T302215, CVE-2022-28208) - HTML injection / XSS from i18n message in WikibaseClient edit hook https://gerrit.wikimedia.org/r/q/Ife8620d65577e53b03ef4674f54d1684e2f5a773 == JsonConfig == + (T302192, CVE-2021-28210) - Data fields in Commons tabular datasets allow running arbitrary JS https://gerrit.wikimedia.org/r/q/Ifa2f6ec9ccce3b781e83a9905392e70d6a7340ad == TimedMediaHandler == + (T160800, CVE-2022-28211) - TimedMediaHandler doesn't prevent blocked users from restarting transcodes https://gerrit.wikimedia.org/r/q/I285c7c189af350be22f5de7b1c6757ad7479a20c == AntiSpoof == + (T304126, CVE-2022-28209) - One of the checks for 'override-antispoof' permission is inverted https://gerrit.wikimedia.org/r/q/Id8c4e2e336695ce70ccdf8a51ad729bf4a99f8f7 == FlaggedRevs == + (T304354, CVE-2022-28212) - It is impossible to oversight who has reviewed a revision via FlaggedRevs https://gerrit.wikimedia.org/r/q/I563bc73829d3a7c6349d364287ba42df78f3c91a == CentralAuth == + (T226212, CVE-2022-28322) - Global rename log shows timestamp of suppressed action https://gerrit.wikimedia.org/r/q/Ica7fedf10a4a8cca3d4b811ff05bfd5553753603 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://w.wiki/52Am [1] https://phabricator.wikimedia.org/T297839 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

2 months, 2 weeks

Security and maintenance release: 1.35.6 / 1.36.4 / 1.37.2

by Sam Reed

2 months, 3 weeks

Security pre-release announcement: 1.35.6 / 1.36.4 / 1.37.2

by Sam Reed

Hi all, On Thursday we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.35.6 - 1.36.4 - 1.37.2 This will resolve four issues in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. One issue does not affect MediaWiki 1.35 and 1.36. In addition to those, these releases will resolve other issues in MediaWiki core and also include some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. We will make the fixes available in the respective release branches and master in git. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later. As a reminder, 1.36 is due to become end of life (EOL) in May 2022. 1.36.4 is expected to be the last release for this branch. It is recommended to upgrade to 1.37, or to 1.38 due to be released in May 2022. [1] https://www.mediawiki.org/wiki/Version_lifecycle

2 months, 4 weeks

MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

by Maryum Styles

Greetings- With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == Dynamic Page List 3/ DPL3 == + (T292351, CVE-2021-41118) - ReDOS in DPL3 https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHS… == CheckUser == + (T292795, CVE-2021-46150) - XSS Vulnerability in Special:CheckUserLog https://gerrit.wikimedia.org/r/q/If7cd112e627f47f9aca69b380dde1634bf55f789 == WikibaseMediaInfo == + (T293556, CVE-2021-46146) - Stored XSS via WikibaseMediaInfo caption fields https://gerrit.wikimedia.org/r/q/I58d37fb59f998f5bec4a018bf9da96a777f8ff78 == UniversalLanguageSelector == + (T293749, CVE-2021-46149) - /w/api.php?action=languagesearch denial of service https://gerrit.wikimedia.org/r/q/Ide32704cca578b9aecbce34bdcc0ac25c2a09a4d == SecurePoll == + (T290808, CVE-2021-46148) - Users with no NDA can access confidential information https://gerrit.wikimedia.org/r/q/Ic7510be487a1bf9215de9ae6cf4a26fad96384c9 == Wikibase == + (T294693, CVE-2021-45473) - XSS on page information Wikibase central description https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d == FileImporter == + (T296605, CVE-2021-45474) - XSS in Special:ImportFile URL https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e == EntitySchema == + (T296578, CVE-2021-45471) - Globally blocked IPs can edit EntitySchema items https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9, https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c == Wikibase == + (T297570, CVE-2021-45472) - XSS in Wikibase using formatter URL https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. Note: The SecurePoll Extension had other enhancements that were related to the security bug [4] but did not address the security concerns directly. See Phabricator [5] for more information. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T292236 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [4] https://phabricator.wikimedia.org/T290808 [5] https://phabricator.wikimedia.org/T277353

5 months, 2 weeks

Security and maintenance release: 1.35.5 / 1.36.3 / 1.37.1

by Sam Reed

6 months, 1 week

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce