MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

1 participants
334 discussions

MediaWiki 1.37.0-rc.1 is ready for testing
by Sam Reed 04 Nov '21

04 Nov '21

I'm pleased to announce the immediate availability of MediaWiki 1.37.0-rc.1, the second release candidate for 1.37.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1700 commits since 1.36.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.37-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.37 will become final in late November 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_37/RELEASE-NOTES-1.37 https://www.mediawiki.org/wiki/Release_notes/1.37 Changes since 1.37.0-rc.0: * (T294043) checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763) Do not cache private wiki completion results. * (T293783) ApiQueryImageInfo: don't show empty comments as deleted. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * Remove duplicate settings from DefaultSettings. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.zip Patch to previous version (1.37.0-rc.0): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.z… GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.1.zi… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.g… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.1.patch.z… Public keys: https://www.mediawiki.org/keys/keys.html

1 0

MediaWiki 1.37.0-rc.0 is ready for testing
by Sam Reed 21 Oct '21

21 Oct '21

I'm pleased to announce the immediate availability of MediaWiki 1.37.0-rc.0, the first release candidate for 1.37.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As with every release of MediaWiki, a large number of changes have landed in the last six months (over 1700 commits since 1.36.0 was cut), and you should read over the preliminary release notes as part of assuring yourself of areas that may have issues with your configuration, your skins, and/or your extensions. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.37-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.37 will become final in November 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_37/RELEASE-NOTES-1.37 https://www.mediawiki.org/wiki/Release_notes/1.37 Public keys: https://www.mediawiki.org/keys/keys.html Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4928/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.37-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.0-rc.0.zi… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.0-rc.0.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 0

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.31.16/1.35.4/1.36.2)
by Maryum Styles 07 Oct '21

07 Oct '21

Greetings- With the security/maintenance release of MediaWiki 1.31.16/1.35.4/1.36.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == DataDump == + (T286376, CVE-2021-32774) - Potential CSRF generating dumps < https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd89… > == GlobalWatchlist == + (T286385, CVE-2021-42046) - XSS in GlobalWatchlist <https://gerrit.wikimedia.org/r/q/Ib7f9b009730fe0df283cec1169f84c7a83a58b1d> <https://gerrit.wikimedia.org/r/q/Id2204fb5afe591d63764466de35ac0aaa5999983> == Translate == + (T286884, CVE-2021-42049) - Oversight action not reversible in translated page <https://gerrit.wikimedia.org/r/q/I4d95220ef414337147235f7ebedc9b945c3348e3 > == GrowthExperiments == + (T289063, CVE-2021-42047) - Mentor dashboard: Permanent XSS exploitable by wiki admins < https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GrowthExperiments/+/7… > == GrowthExperiments == + (T289064, CVE-2021-42048) - Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts <https://gerrit.wikimedia.org/r/q/Iaa90a8976834d70caad592e9d1b18510318db537 > == SecurePoll == + (T289385, CVE-2021-42045) - Modified HTTP headers allow XSS <https://gerrit.wikimedia.org/r/q/I4f04083cd00884d3b85245460774c81c7639a578> == Growth Experiments == + (T289408, CVE-2021-42044) - Permanent XSS exploitable by wiki admins (client-side part) <https://gerrit.wikimedia.org/r/q/I858d55fb2eca9b50ac6ef5a6f2a7b2784f0fa0d6> == Growth Experiments == + (T290692, CVE-2021-42042) - Permanent XSS exploitable by wiki admins in SpecialEditGrowthConfig <https://gerrit.wikimedia.org/r/q/Ibeb13d032ca044af53f6b2334e27b6b97b6f4e9f> == Loops == + (T287347, CVE-2021-42040) - Loops can cause php-fpm exhaustion <https://gerrit.wikimedia.org/r/q/I0caf6f129f94612b5bcf406a171aa5ffedea1f80> == CentralAuth == + (T291696, CVE-2021-42041) - XSS vulnerability in the 'setchange' log <https://gerrit.wikimedia.org/r/q/I7aeaa6e4de5ccaa5eeb6bf4fb00c96b01d5fea35> == MediaSearch == + (T291600, CVE-2021-42043) - XSS on Special:MediaSearch <https://gerrit.wikimedia.org/r/q/If64eb5842237c92290d07ebc3fe14710d9de3fc2> The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T285414 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

1 0

Security and maintenance release: 1.31.16 / 1.35.4 / 1.36.2
by Sam Reed 30 Sep '21

30 Sep '21

1 0

MediaWiki 1.31 is End of Life
by Sam Reed 30 Sep '21

30 Sep '21

(Sorry if you have received this email already. There was an issue with Mailman yesterday, and while the email was sent to mediawiki-l and wikitech-l successfully, it seemingly never made it to the mediawiki-announce archives. Email slightly modified to suit being sent today). As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.31 as of today, Thursday September 30, 2021, coinciding with the final security and maintenance release for the branch, 1.31.16. This means that MediaWiki 1.31 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade to MediaWiki 1.35, the current Long Term Support (LTS) version which is not due to become EOL until September 2023. MediaWiki 1.35 bumps the required PHP version from 7.0 in 1.31 (which is unsupported upstream), to PHP 7.3.19 or later. Thanks! Sam Reed [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

Security pre-release announcement: 1.31.16 / 1.35.4 / 1.36.2
by Sam Reed 29 Sep '21

29 Sep '21

Hi all, Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.31.16 - 1.35.4 - 1.36.2 This will resolve 3 issues in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. It also fixes 1 issue in a MediaWiki tarball bundled extension. We will make the fixes available in these respective release branches, master and the currently unreleased 1.37 branch. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow. As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in June 2021. 1.35 (the new LTS) is supported until September 2023. However, to try and meet our LTS-LTS overlap commitments (1.35 was late due to COVID), 1.31 got best-efforts extra support until the end of September 2021. As the end of September 2021 is now upon us, this means 1.31.16 will be the final security (and maintenance) release, and therefore it is considered EOL as of tomorrow, September 30, 2021. [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

Extension:Score security advisory
by Kunal Mehta 23 Aug '21

23 Aug '21

Hi everyone, In July 2020, vulnerabilities that allowed for remote code execution were discovered within the Score extension [0], which primarily uses LilyPond [1] to provide musical scores on-wiki. Futher investgation found more vulnerabilities within LilyPond and firejail. We are now publishing a security advisory for the Score extension with information about the discovered vulnerabilities and information regarding how to secure Score using Shellbox [3]. Please refer to that for information on how to set up the Score extension in a secure manner. Thanks, [0] https://www.mediawiki.org/wiki/Extension:Score [1] https://lilypond.org/ [2] https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory

1 0

MediaWiki Extensions and Skins Security Release Supplement (1.31.15/1.35.3/1.36.1)
by Scott Bassett 02 Jul '21

02 Jul '21

Greetings- With the security/maintenance release of MediaWiki 1.31.15/1.35.3/1.36.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == SocialProfile == + (T281043, CVE-2021-36130) - Stored XSS in various SystemGifts-related special pages <https://gerrit.wikimedia.org/r/q/Id915eba45497a1a0dc1c4e00818a2fd4c0ce55d3> == SportsTeams == + (T281196, CVE-2021-36131) - Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams <https://gerrit.wikimedia.org/r/691913> == FileImporter == + (T280590, CVE-2021-36132) - Special:ImportFile does not check permissions from own config FileImporterRequiredRight <https://gerrit.wikimedia.org/r/q/I8ff2a67abd2c118a3469e4410eac2a451bfa76c3> == ManageWiki == + (T281417, CVE-2021-29483) - 'wikiconfig' API leaked private config variables < https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g… > == CentralAuth == + (T260865, CVE-2021-36125) - Very long usernames can cause an infinite loop when loading Special:GlobalRenameRequest <https://gerrit.wikimedia.org/r/q/I97d8b3236b5abed8ba9a9c4d3ab5050c2e782c22> + (T281972, CVE-2021-36128) - Disable autoblocks for CentralAuth-issued suppression blocks <https://gerrit.wikimedia.org/r/q/I15d14c88a1e30df92c470bc191c4ee573172d4d1> + (T285190, CVE-2021-36127) - Special:GlobalUserRights reveals existence of globally suppressed users <https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec> == Translate == + (T282932, CVE-2021-36129) - Aggregategroups Action API module allows deleting translatable page metadata for any group without trace <https://gerrit.wikimedia.org/r/q/I3619a7e88c2eb979babb7b027d4fdbfabc0af792> == AbuseFilter == + (T284364, CVE-2021-36126) - Bad english MediaWiki:Abusefilter-blocker breaks filters <https://gerrit.wikimedia.org/r/q/I9e9f44b7663e810de70fb9ac7f6760f83dd4895b> The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T279733 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett sbassett(a)wikimedia.org

1 0

Security and maintenance release: 1.31.15 / 1.35.3 / 1.36.1
by Sam Reed 23 Jun '21

23 Jun '21

1 0

Security pre-release announcement: 1.31.15 / 1.35.3 / 1.36.1
by Sam Reed 22 Jun '21

22 Jun '21

Hi all, Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.31.15 - 1.35.3 - 1.36.1 This will resolve 1 minor issue in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. We will make the fixes available in these respective release branches, and also master. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow. As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in June 2021. 1.35 (the new LTS) is supported until September 2023. However, to try and meet our LTS-LTS overlap commitments (1.35 was late due to COVID), 1.31 will get best-efforts extra support until the end of September 2021. Practically, this will mean 1.31 is only tested on PHP 7.2, removing the burden of testing on PHP 7.0 and 7.1 which both became EOL in 2019. This will also mean 1.31 is eligible for one final security release in late September 2021 before formally becoming EOL. [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
34
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce