Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.31.11
- 1.35.1
This will resolve 5 issues in MediaWiki core (1 of which isn't applicable
to MediaWiki 1.31 at all), and also includes some fixes previously
committed to git, including minor security and hardening patches along with
bug fixes included for maintenance reasons.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As per the MediaWiki Version lifecycle [1], November 2020 was the scheduled
EOL date for the REL1_34. MediaWiki 1.35.1 will be supported until at least
September 2023, and would be the recommended upgrade path for anyone still
using 1.34.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
As per the MediaWiki version lifecycle,[1] I would like to announce the
formal end of life (EOL) of MediaWiki 1.34 as of today, Monday November 30,
2020.
This means that MediaWiki 1.34 will no longer receive maintenance or
security backports. It is therefore strongly discouraged that you continue
to use it.
It is recommended to upgrade to MediaWiki 1.35, the current Long Term
Support (LTS) version which is not due to become EOL until September 2023.
The legacy Long Term Support version of MediaWiki, MediaWiki 1.31, is older
and downgrading is not supported.
MediaWiki 1.35 bumps the required PHP version from 7.2.9 in 1.34 (which is
unsupported upstream), to PHP 7.3.19 or later.
Thanks!
Sam Reed
[1] https://www.mediawiki.org/wiki/Version_lifecycle
I am happy to announce the belated availability of the general release of
MediaWiki 1.35!
Tarballs have already been uploaded, and the git tag has been pushed.
Thanks to everyone who helped out with this release, especially thanks to
those who tested out the release candidates and provided feedback, as well
as the developers who worked hard to get several important fixes merged in
time for the 1.35 final release. To see what's changed in 1.35, see the
release notes below.
Please note that the PHP version requirement has been raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.
MediaWiki 1.35 is an LTS and is due to be supported until the end of
September 2023.
As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due
to become end of life in November 2020.
As per the pre-release announcement, 1.35.0 also includes some security
fixes that weren't in the release candidates, which came out yesterday for
the ther supported MediaWiki branches.
Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate Node.js service. The documentation for this still may still
require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work
using SQLite as the database backend for MediaWiki. This is due to the lack
of write concurrency in SQLite. If you wish to use this feature, it is
recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still
experimental. It should become stable in a later point release. Please
report any issues/bugs [3].
== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661
=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in
ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when
clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to
ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.
Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/
Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-…
[3]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-…
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz
Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.…https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sighttps://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.34.3
- 1.31.9
This will resolve eight issues in MediaWiki core (two of which aren't
applicable to MediaWiki 1.31), and also includes some fixes previously
committed to git, including minor security and hardening patches along with
bug fixes included for maintenance reasons.
For those of you waiting on MediaWiki 1.35.0, this will also come either
tomorrow, or at latest Friday (depending on CI load), including the
security fixes applied to these other supported release branches. We thank
you for your patience; the current global situation means things have taken
longer than would have been expected, but it has meant more bug fixes being
incorporated from testing across the board. It also meant not having a
security 1.35.1 release followup only a couple of weeks after 1.35.0 coming
out. Which, for many people would mean extra work to upgrade again, and it
was decided to avoid this.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As per the MediaWiki Version lifecycle [1], November 2020 is the scheduled
EOL date for the REL1_34. 1.34.3 will therefore potentially be the final
release of the MediaWiki 1.34 branch, barring any unforeseen issues. As per
above, MediaWiki 1.35.0 will be released this week, and will be supported
until at least September 2023, and would be the recommended upgrade path.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
I'm pleased to announce the immediate availability of MediaWiki
1.35.0-rc.3, the fourth (and hopefully final; only minor documentation and
packaging changes are expected) release candidate for 1.35.x, the next LTS
version to replace 1.31 which is due to go end of life in June 2021.
Download links at the end of the e-mail. The tag has been signed and pushed
to Git.
Please note that the PHP version requirement has been raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.
This is not a final release and should not be used for production websites.
Known issues are tracked in Phabricator on the release workboard [1]. As
always please do try out the release candidate in a test environment and
report any issues that you discover. Please use the #MW-1.35-Release [2]
tag in Phabricator when reporting issues specific to this release.
It is expected that MediaWiki 1.35 will become final in mid September 2020
(apologies for the delay), and will be supported for 3 years after that.
Known/outstanding issues/things to test:
* The PHP requirement for MediaWiki 1.35 has been raised to 7.3.19.
* Both the Vector skin and the underlying skin infrastructure are
undergoing numerous changes, so there might be things broken that are
already fixed in master and as such need backporting.
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate nodejs service. The documentation for this still may still
require some updates.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently
experimental. It should be finished for the 1.35.0 final release.
* If you're on Windows and use 7zip and had issues in the previous release
candidates (and the last round of security releases) extracting the
tarball, this should be fixed for this release.
Changes since 1.35.0-rc.2:
* (T258662) mediawiki.visibleTimeout: Update the nextVisibleTimeoutId value.
* Ensure Parsoid doesn't throw when <ref> is used w/o Cite installed.
* Remove maintenance/createCommonPasswordCdb.php.
* (T260468) Increase "sites.site_global_key" to varbinary(64).
* (T183759) Fix shell edge-cases in Windows.
* (T257879) Drop PHP 7.2 support; require 7.3.19.
* (T251661) User::pingLimiter: add user-global rate limit type.
* (T246991) User: enforce pingLimiter() expiry time.
* (T256831) Rest: Handle Uri constructor exception.
* (T259094) Fix RequestFromGlobalsTest failing in Travis CI.
* (T256831, T261344) Rest: Use try/catch to handle URIs with embedded colon.
Preliminary release notes:
https://phabricator.wikimedia.org/source/mediawiki/browse/REL1_35/RELEASE-N…https://www.mediawiki.org/wiki/Release_notes/1.35
Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/
Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-…
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.3.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0-rc.3.ta…
Patch to previous version (1.35.0-rc.2):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.3.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0-rc.3.ta…https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.3.tar.gz.…
Public keys:
https://www.mediawiki.org/keys/keys.html
I'm pleased to announce the immediate availability of MediaWiki
1.35.0-rc.2, the third release candidate for 1.35.x, the next LTS version
to replace 1.31 which is due to go end of life in June 2021. Download links
at the end of the e-mail. The tag has been signed and pushed to Git.
Please note that the PHP version requirement has been raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.2.22 (this may change
further, see below).
This is not a final release and should not be used for production websites.
Known issues are tracked in Phabricator on the release workboard [1]. As
always please do try out the release candidate in a test environment and
report any issues that you discover. Please use the #MW-1.35-Release [2]
tag in Phabricator when reporting issues specific to this release.
It is expected that MediaWiki 1.35 will become final in late August 2020,
and will be supported for 3 years after that.
Known/outstanding issues/things to test:
* It has been proposed to require PHP 7.3 for MediaWiki 1.35, please
discuss at <https://phabricator.wikimedia.org/T257879>.
* Both the Vector skin and the underlying skin infrastructure are
undergoing numerous changes, so there might be things broken that are
already fixed in master and as such need backporting.
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate nodejs service. The documentation for this still needs to
be updated, and in some cases, users are reporting HTTP 500 errors from
RestBase <https://phabricator.wikimedia.org/T259693>.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently
experimental. It should be finished for the 1.35.0 final release.
* If you're on Windows and use 7zip and had issues in the previous release
candidates (and the last round of security releases) extracting the
tarball, this should be fixed for this release.
* While the rc.2 tarballs are smaller than the rc.1 tarballs, the patch for
rc.2 is much larger than usual, due to the removal of Gruntfile.js and
package-lock.json files from the tarball.
Changes since 1.35.0-rc.1:
* (T259693) uuid: Fix filenames on Windows.
* Remove Gruntfile.js and package-lock.json from the tarball.
* firejail: Strengthen by copying from Wikimedia's profile.
* (T260059) ResourceLoaderOOUIImageModule: loadOOUIDefinition() may return
false.
* (T30162, T245387) The installer supports using a Postgres server running
on a custom port other than 5432.
* (T260201) Support private wikis in Parsoid zero configuration mode.
* Fix bad use of `|=` PHP bit operation where `= … ||` bool is intended.
* (T259212) SpecialBlock: Show error if a block could not be inserted or
found.
* (T255842) UserOptionsManager: fix options reset.
* (T258649) WatchAction: avoid unnecessary UPDATEs when expiry is unchanged.
* (T250851) Allow skins to override mediawiki.page.ready initialisation.
* (T250851) mediawiki.page.ready: Allow skins to disable search lazy load.
* (T253135, T255632) Update language in watchlist expiry.
* Use IPset in MWRestrictions::checkIP.
* (T259564) Fix race condition on edit page.
* (T260759) Hide watchlist expiry label in edit form.
* mime: Fix docs of MIME_EXTENSIONS, they're arrays, not space-seperated.
* (T260031) Add application/font-sfnt to MimeMap for ttf files.
* (T259379) WatchedItemStore: Cache single WatchedItems with preexisting
expiry.
* Add a maintenance script to create bot passwords.
* (T201269) Add Traditional Chinese zh-hant as fallback for Amis (ami).
* Improve wfParseUrl docs.
* (T251038) Add multi index fields in ImageListPager for unique paginate.
* (T259916) Guard against 'Widget not found' error.
Preliminary release notes:
https://phabricator.wikimedia.org/source/mediawiki/browse/REL1_35/RELEASE-N…https://www.mediawiki.org/wiki/Release_notes/1.35
Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/
Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-…
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0-rc.2.ta…
Patch to previous version (1.35.0-rc.0):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0-rc.2.ta…https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0-rc.2.tar.gz.…
Public keys:
https://www.mediawiki.org/keys/keys.html