I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and 1.23.14.
These releases fix sixteen security issues in core, one issue in the bundled extension SyntaxHighlight_GeSHi and one issue in the non-bundled extension Scribunto. Download links are given at the end of this email.
== Security fixes ==
* T122056: Old tokens are remaining valid within a new session * T127114: Login throttle can be tricked using non-canonicalized usernames * T123653: Cross-domain policy regexp is too narrow * T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex * T129506: MediaWiki:Gadget-popups.js isn't renderable * T125283: Users occasionally logged in as different users after SessionManager deployment * T103239: Patrol allows click catching and patrolling of any page * T122807: [tracking] Check php crypto primatives * T98313: Graphs can leak tokens, leading to CSRF * T130947: Diff generation should use PoolCounter * T133507: Careless use of $wgExternalLinkTarget is insecure * T132874: API action=move is not rate limited
This fix affects both core and SyntaxHighlight_GeSHi: * T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags
These two fixes are not applicable to 1.23.14 as the 1.23 branch does not contain pbkdf2 support. * T116030: Increase pbkdf2 parameter strengths * T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
This fix is already in master and the 1.27 release branch, and is just being backported to 1.23 and 1.25: * T126685: Globally throttle password attempts
== Links to all mentioned tasks == https://phabricator.wikimedia.org/T122056 https://phabricator.wikimedia.org/T127114 https://phabricator.wikimedia.org/T123653 https://phabricator.wikimedia.org/T123071 https://phabricator.wikimedia.org/T129506 https://phabricator.wikimedia.org/T125283 https://phabricator.wikimedia.org/T103239 https://phabricator.wikimedia.org/T122807 https://phabricator.wikimedia.org/T98313 https://phabricator.wikimedia.org/T130947 https://phabricator.wikimedia.org/T133507 https://phabricator.wikimedia.org/T132874 https://phabricator.wikimedia.org/T110143 https://phabricator.wikimedia.org/T116030 https://phabricator.wikimedia.org/T127420 https://phabricator.wikimedia.org/T126685
== Release notes ==
Full release notes for 1.26.3: https://www.mediawiki.org/wiki/Release_notes/1.26
Full release notes for 1.25.6: https://www.mediawiki.org/wiki/Release_notes/1.25
Full release notes for 1.23.14: https://www.mediawiki.org/wiki/Release_notes/1.23
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.26.3 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.25.6 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.23.14 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
-Chad H. & Chris S.