I would like to announce the release of MediaWiki 1.33.2, 1.32.6 and 1.31.6!
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded, git tags will follow later on today.
As a reminder, 1.32.6 will also be the final release for 1.32 (barring any unforeseen issues), which is scheduled to become end of life in January 2020 [1]. If you're using 1.32, it is recommended that you upgrade to the latest point release of the 1.33 branch (1.33.2, to be released tomorrow) or 1.34.0 to carry on using a maintained and supported release.
An "MediaWiki Extensions Security Release Supplement" email will follow this one.
== Security fixes == * (T192134) Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset. * (T212067) wfParseUrl() incorrectly parses hostnames in older PHP and HHVM versions due to bug in parse_url(). This is only potentially an issue on MW < 1.34 where it supports PHP version (see PHP bug 73192) 7.0.0–7.0.12, or HHVM less than 3.18.6. * (T239466) Possible to circumvent title-blacklist (CVE-2019-19709).
== Links to all mentioned tasks == * https://phabricator.wikimedia.org/T212067 * https://phabricator.wikimedia.org/T239466 * https://phabricator.wikimedia.org/T192134 * https://bugs.php.net/bug.php?id=73192
== Release notes ==
Full release notes for 1.31.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.31
Full release notes for 1.32.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_32/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.32
Full release notes for 1.33.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_33/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.33
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.tar.gz
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.6.tar.gz
Patch to previous version (1.31.5): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.6.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.patch.gz.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.tar.gz
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.6.tar.gz
Patch to previous version (1.32.5): https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.6.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.patch.gz.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz
Patch to previous version (1.33.1): https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig
Public keys: https://www.mediawiki.org/keys/keys.html
mediawiki-announce@lists.wikimedia.org