MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

330 discussions

by Sam Reed

(Sorry if you have received this email already. There was an issue with Mailman yesterday, and while the email was sent to mediawiki-l and wikitech-l successfully, it seemingly never made it to the mediawiki-announce archives. Email slightly modified to suit being sent today). As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.31 as of today, Thursday September 30, 2021, coinciding with the final security and maintenance release for the branch, 1.31.16. This means that MediaWiki 1.31 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade to MediaWiki 1.35, the current Long Term Support (LTS) version which is not due to become EOL until September 2023. MediaWiki 1.35 bumps the required PHP version from 7.0 in 1.31 (which is unsupported upstream), to PHP 7.3.19 or later. Thanks! Sam Reed [1] https://www.mediawiki.org/wiki/Version_lifecycle

2 years, 7 months

Security pre-release announcement: 1.31.16 / 1.35.4 / 1.36.2

by Sam Reed

Hi all, Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.31.16 - 1.35.4 - 1.36.2 This will resolve 3 issues in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. It also fixes 1 issue in a MediaWiki tarball bundled extension. We will make the fixes available in these respective release branches, master and the currently unreleased 1.37 branch. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow. As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in June 2021. 1.35 (the new LTS) is supported until September 2023. However, to try and meet our LTS-LTS overlap commitments (1.35 was late due to COVID), 1.31 got best-efforts extra support until the end of September 2021. As the end of September 2021 is now upon us, this means 1.31.16 will be the final security (and maintenance) release, and therefore it is considered EOL as of tomorrow, September 30, 2021. [1] https://www.mediawiki.org/wiki/Version_lifecycle

2 years, 7 months

Extension:Score security advisory

by Kunal Mehta

Hi everyone, In July 2020, vulnerabilities that allowed for remote code execution were discovered within the Score extension [0], which primarily uses LilyPond [1] to provide musical scores on-wiki. Futher investgation found more vulnerabilities within LilyPond and firejail. We are now publishing a security advisory for the Score extension with information about the discovered vulnerabilities and information regarding how to secure Score using Shellbox [3]. Please refer to that for information on how to set up the Score extension in a secure manner. Thanks, [0] https://www.mediawiki.org/wiki/Extension:Score [1] https://lilypond.org/ [2] https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory

2 years, 8 months

MediaWiki Extensions and Skins Security Release Supplement (1.31.15/1.35.3/1.36.1)

by Scott Bassett

Greetings- With the security/maintenance release of MediaWiki 1.31.15/1.35.3/1.36.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == SocialProfile == + (T281043, CVE-2021-36130) - Stored XSS in various SystemGifts-related special pages <https://gerrit.wikimedia.org/r/q/Id915eba45497a1a0dc1c4e00818a2fd4c0ce55d3> == SportsTeams == + (T281196, CVE-2021-36131) - Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams <https://gerrit.wikimedia.org/r/691913> == FileImporter == + (T280590, CVE-2021-36132) - Special:ImportFile does not check permissions from own config FileImporterRequiredRight <https://gerrit.wikimedia.org/r/q/I8ff2a67abd2c118a3469e4410eac2a451bfa76c3> == ManageWiki == + (T281417, CVE-2021-29483) - 'wikiconfig' API leaked private config variables < https://github.com/miraheze/ManageWiki/security/advisories/GHSA-jmc9-rv2f-g… > == CentralAuth == + (T260865, CVE-2021-36125) - Very long usernames can cause an infinite loop when loading Special:GlobalRenameRequest <https://gerrit.wikimedia.org/r/q/I97d8b3236b5abed8ba9a9c4d3ab5050c2e782c22> + (T281972, CVE-2021-36128) - Disable autoblocks for CentralAuth-issued suppression blocks <https://gerrit.wikimedia.org/r/q/I15d14c88a1e30df92c470bc191c4ee573172d4d1> + (T285190, CVE-2021-36127) - Special:GlobalUserRights reveals existence of globally suppressed users <https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec> == Translate == + (T282932, CVE-2021-36129) - Aggregategroups Action API module allows deleting translatable page metadata for any group without trace <https://gerrit.wikimedia.org/r/q/I3619a7e88c2eb979babb7b027d4fdbfabc0af792> == AbuseFilter == + (T284364, CVE-2021-36126) - Bad english MediaWiki:Abusefilter-blocker breaks filters <https://gerrit.wikimedia.org/r/q/I9e9f44b7663e810de70fb9ac7f6760f83dd4895b> The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikime… [1] https://phabricator.wikimedia.org/T279733 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett sbassett(a)wikimedia.org

2 years, 10 months

Security and maintenance release: 1.31.15 / 1.35.3 / 1.36.1

by Sam Reed

2 years, 10 months

Security pre-release announcement: 1.31.15 / 1.35.3 / 1.36.1

by Sam Reed

Hi all, Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.31.15 - 1.35.3 - 1.36.1 This will resolve 1 minor issue in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons. We will make the fixes available in these respective release branches, and also master. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow. As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in June 2021. 1.35 (the new LTS) is supported until September 2023. However, to try and meet our LTS-LTS overlap commitments (1.35 was late due to COVID), 1.31 will get best-efforts extra support until the end of September 2021. Practically, this will mean 1.31 is only tested on PHP 7.2, removing the burden of testing on PHP 7.0 and 7.1 which both became EOL in 2019. This will also mean 1.31 is eligible for one final security release in late September 2021 before formally becoming EOL. [1] https://www.mediawiki.org/wiki/Version_lifecycle

2 years, 10 months

Announcing MediaWiki 1.36.0

by Sam Reed

I am happy to announce the availability of the general release of MediaWiki 1.36! Tarballs have already been uploaded, and the git tag has been pushed. Please note that MediaWiki 1.36 now requires the PHP internationalization extension, commonly referred to as Intl, ext-intl, or php-intl. As a reminder, 1.31 (the old LTS) is due to become end of life in June 2021. 1.35 (the new LTS) is supported until September 2023. However, to try and meet our LTS-LTS overlap commitments (1.35 was late due to COVID), 1.31 will get best-efforts extra support until the end of September 2021. Practically, this will mean 1.31 is only tested on PHP 7.2, removing the burden of testing on PHP 7.0 and 7.1 which both became EOL in 2019. It is also noted that the patch from MediaWiki 1.36.0-rc.0 to MediaWiki 1.36.0 (mediawiki-1.36.0.patch.gz/mediawiki-1.36.0.patch.zip) is larger than expected due to an issue with the initial importing of skins and extensions as submodules into the REL1_36 branch. A bug has been filed for this issue, but doesn't cause any practical issues otherwise. MediaWiki 1.36 will be supported until May 2022. MediaWiki 1.37 is due to be released in November 2021. === Changes since MediaWiki 1.36.0-rc.0 === * (T248481) rdbms: Use server time in DatabaseMysqlBase::getLagFromPtHeartbeat(). * (T281549) WebInstaller: Don't show the announce-l subscribe checkbox for now. * (T264214) Follow-ups for UserGroupManager. * (T282280) resourceloader: Fix path-only URLs in wiki modules when script path is docroot. * (T281972) UserIdentityValue: Introduce convenience static factory methods. * (T230428) Make page_is_redirect and page_is_new unsigned. * (T280292) Legacy feature should not load thumbnail style rules (only layout). * (T283247) Freenode -> Libera per wikimedia moving from freenode to libera. * (T280270) composer: Lock Parsoid version to specific 0.13.0 release. * (T142663) Add extension.json merge strategy "provide_default". * (T283540) HookContainer: Fix normalization of callback for static handler. * (T283464) registration: Fix array order for array_replace_recursive merge strategy. * (T283539) Interwiki: Fix calling "onInterwikiLoadPrefix" hook. * (T282594) Timeless: Re-branch to 40eb3dad1for REL1_36. Open Bugs: [1] https://phabricator.wikimedia.org/project/board/4555/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.36-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.tar.gz https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0.tar.gz https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0.zip Patch to previous version (1.36.0-rc.0): https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.patch.gz https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0.zip.sig https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.zip.sig https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html Release Notes https://www.mediawiki.org/wiki/Release_notes/1.36

2 years, 11 months

MediaWiki 1.31 will soon be End-of-Life

by Sam Reed

Hello all, I wanted to send a heads-up to various places that MediaWiki 1.31, the legacy LTS release, will be End-of-Life as of next month, June 2021.[0] There will be a final release to follow-on from the current latest version 1.31.14 coming out soon, but it may have slipped people's mind that this deadline is approaching so swiftly. System administrators still using 1.31 are encouraged to start their migration to the current LTS release, 1.35. MediaWiki 1.35, released in September 2020, will be supported until September 2023. If you don't require LTS support, you will be able to upgrade to 1.36 which will be supported till May 2022 once it is released, before the end of the month. As always, please be mindful of the upgrade instructions, especially including making a back-up of your database, and testing extension compatibility. Thanks! [0] https://www.mediawiki.org/wiki/Version_lifecycle

2 years, 11 months

MediaWiki 1.36.0-rc.0 is ready for testing

by Tyler Cipriani

I'm pleased to announce the immediate availability of MediaWiki 1.36.0-rc.0, the first release candidate for 1.36.x. Download links are at the end of the e-mail. The tag has been signed and pushed to Git. Please note that MediaWiki 1.36 now requires the PHP internationalization extension, commonly referred to as Intl, ext-intl, or php-intl. This is not a final release, and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As always, please try out the release candidate in a test environment and do report any issues that you discover. Please use the #MW-1.36-Release [2] tag in Phabricator when reporting issues specific to this release, to make sure that we find them as quickly as possible. It is expected that MediaWiki 1.36 will become final in May 2021, though the date may slip if blockers are identified. Preliminary release notes: https://gerrit.wikimedia.org/g/mediawiki/core/+/REL1_36/RELEASE-NOTES-1.36 https://www.mediawiki.org/wiki/Release_notes/1.36 Public keys: https://www.mediawiki.org/keys/keys.html Open Bugs: [1] https://phabricator.wikimedia.org/project/board/3386/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.36-… ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0-rc.0.tar.gz https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0-rc.0.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0-rc.0.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.0-rc.0.zi… https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0-rc.0.tar.gz.… https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.0-rc.0.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

3 years

MediaWiki Extensions and Skins Security Release Supplement (1.31.13/1.35.2)

by Scott Bassett

Greetings- With the security/maintenance release of MediaWiki 1.31.13/1.35.2 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == CommentBox == + (T270767, CVE-2021-31550) - Wg variables aren't validated by CommentBox - possible raw html insertion risk <https://gerrit.wikimedia.org/r/651934> == AbuseFilter == + (T272333, CVE-2021-31548) - Disallow the edit if blocking the user didn't succeed <https://gerrit.wikimedia.org/r/657092> == WikiLove == + (T270142, CVE-2021-31557) - mw.config.get( 'wikilove-anon' ) leaks the existence of hidden users <https://gerrit.wikimedia.org/r/q/Ibcd87abe01719222beadcfc0de13038c3021adef> == PageForms == + (T259433, CVE-2021-31551) - XSS issue in Extension:PageForms <https://gerrit.wikimedia.org/r/q/I5e0abbc2f80e6bda255b3b32a4df39a7fe7d3793> <https://gerrit.wikimedia.org/r/q/Ibe68b070ee791cd0c8e7f50eb04ac4e066b1512c> <https://gerrit.wikimedia.org/r/q/I20b63bd38779d2ccbe2d86f9879df85ca3b685f6> == AbuseFilter == + (T71617, CVE-2021-31546) - AbuseFilter logs suppression deletions <https://gerrit.wikimedia.org/r/q/I38a0a24fa32ca7a052b6940864a32b3856e84553> == AbuseFilter == + (T223654, CVE-2021-31547) - AbuseFilterCheckMatch API reveals suppressed edits and usernames <https://gerrit.wikimedia.org/r/q/I4900b1be73323599d74e3164447f81eded094d75> <https://gerrit.wikimedia.org/r/q/I3f7dbd8b873d411e37c8c3aac2339bf5ec36907d> == AbuseFilter == + (T71367, CVE-2021-31545) - page_recent_contributors leaks revdeleted user names <https://gerrit.wikimedia.org/r/q/I8d5ed9ca84282ee50832035af86123633fc88293> == AbuseFilter == + (T274152, CVE-2021-31549) - Special:AbuseFilter/examine reveals suppressed usernames <https://gerrit.wikimedia.org/r/q/I6063c02fa261c4cc0e6dbbb2db4e111eb85912c2> <https://gerrit.wikimedia.org/r/q/I71a6d521bd12931ce60eec4d2dc35af19146000f> == CheckUser == + (T275669, CVE-2021-31553) - Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will <https://gerrit.wikimedia.org/r/666963> <https://gerrit.wikimedia.org/r/666964> == AbuseFilter == + (T152394, CVE-2021-31552) - AbuseFilter privacy concerns on action == 'createaccount' and 'accountname' <https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1> == AbuseFilter == + (T272244, CVE-2021-31554) - AbuseFilter blocks not working for account autocreations <https://gerrit.wikimedia.org/r/q/Ie1f4333d5b1c9d17fb2236fe38a31de427a4cc48> == OAuth == + (T277380, CVE-2021-31556) - OAuth doesn't validate length of oarc_rsa_key <https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9> == OAuth == + (T277388, CVE-2021-31555) - OAuth doesn't validate length of oarc_version <https://gerrit.wikimedia.org/r/q/I222c053b4b14ac1ad0f5b3a51565b1b9cd4c139d> The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [0] https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.… [1] https://phabricator.wikimedia.org/T270466 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs -- Scott Bassett sbassett(a)wikimedia.org

3 years

← Newer
1
2
3
4
5
6
7
8
9
...
33
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce