(Sorry if you have received this email already. There was an issue with
Mailman yesterday, and while the email was sent to mediawiki-l and
wikitech-l successfully, it seemingly never made it to the
mediawiki-announce archives. Email slightly modified to suit being sent
today).
As per the MediaWiki version lifecycle[1], I would like to announce the
formal end of life (EOL) of MediaWiki 1.31 as of today, Thursday September
30, 2021, coinciding with the final security and maintenance release for
the branch, 1.31.16.
This means that MediaWiki 1.31 will no longer receive maintenance or
security backports. It is therefore strongly discouraged that you continue
to use it.
It is recommended to upgrade to MediaWiki 1.35, the current Long Term
Support (LTS) version which is not due to become EOL until September 2023.
MediaWiki 1.35 bumps the required PHP version from 7.0 in 1.31 (which is
unsupported upstream), to PHP 7.3.19 or later.
Thanks!
Sam Reed
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.31.16
- 1.35.4
- 1.36.2
This will resolve 3 issues in MediaWiki core and also includes some fixes
previously committed to git, including minor security and hardening patches
along with bug fixes included for maintenance reasons.
It also fixes 1 issue in a MediaWiki tarball bundled extension.
We will make the fixes available in these respective release branches,
master and the currently unreleased 1.37 branch. Tarballs will be available
for the above mentioned point releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in
June 2021. 1.35 (the new LTS) is supported until September 2023. However,
to try and meet our LTS-LTS overlap commitments (1.35 was late due to
COVID), 1.31 got best-efforts extra support until the end of September 2021.
As the end of September 2021 is now upon us, this means 1.31.16 will be the
final security (and maintenance) release, and therefore it is considered
EOL as of tomorrow, September 30, 2021.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hi everyone,
In July 2020, vulnerabilities that allowed for remote code execution
were discovered within the Score extension [0], which primarily uses
LilyPond [1] to provide musical scores on-wiki. Futher investgation
found more vulnerabilities within LilyPond and firejail.
We are now publishing a security advisory for the Score extension with
information about the discovered vulnerabilities and information
regarding how to secure Score using Shellbox [3]. Please refer to that
for information on how to set up the Score extension in a secure manner.
Thanks,
[0] https://www.mediawiki.org/wiki/Extension:Score
[1] https://lilypond.org/
[2] https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.31.15
- 1.35.3
- 1.36.1
This will resolve 1 minor issue in MediaWiki core and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As a reminder, 1.31 (the old LTS) was due to become end of life (EOL) in
June 2021. 1.35 (the new LTS) is supported until September 2023. However,
to try and meet our LTS-LTS overlap commitments (1.35 was late due to
COVID), 1.31 will get best-efforts extra support until the end of September
2021. Practically, this will mean 1.31 is only tested on PHP 7.2, removing
the burden of testing on PHP 7.0 and 7.1 which both became EOL in 2019.
This will also mean 1.31 is eligible for one final security release in late
September 2021 before formally becoming EOL.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hello all,
I wanted to send a heads-up to various places that MediaWiki 1.31, the
legacy LTS release, will be End-of-Life as of next month, June 2021.[0]
There will be a final release to follow-on from the current latest version
1.31.14 coming out soon, but it may have slipped people's mind that this
deadline is approaching so swiftly.
System administrators still using 1.31 are encouraged to start their
migration to the current LTS release, 1.35. MediaWiki 1.35, released in
September 2020, will be supported until September 2023. If you don't
require LTS support, you will be able to upgrade to 1.36 which will be
supported till May 2022 once it is released, before the end of the month.
As always, please be mindful of the upgrade instructions, especially
including making a back-up of your database, and testing extension
compatibility.
Thanks!
[0] https://www.mediawiki.org/wiki/Version_lifecycle