MediaWiki-distributors April 2013

mediawiki-distributors@lists.wikimedia.org

1 participants
4 discussions

Re: [MediaWiki-distributors] Early (embargoed) disclosure of upcoming security releases
by Chris Steipp 01 Sep '13

01 Sep '13

Jonathan, I'm definitely open to working with debian to find a way to get you early access. We've guessed that was something some distributions would like, but I haven't worked with each distro to figure out their needs yet. Thanks for bringing the subject up. For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the non-public bugs (if you have another preferred webapp scoring system, I'm happy to generate a score for you). Additionally, already publicly in the release branches are patches to pass '2' to CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl connections. Hope that helps! Chris

3 2

1.21.0rc4 -- another week, another RC
by Mark A. Hershberger 22 Apr '13

22 Apr '13

This is RC4 for 1.21.0 due to be released on May 15, 2013. The patches included since RC3 are after the download instructions. While testing this release candidate, I discovered a bug in the installer (Bug #47489) which I would like to get fixed before a final release. I've changed the list of bugs I would like to see fixed in the next couple of weeks before release to 3 installer-only bugs: https://bugzilla.wikimedia.org/buglist.cgi?bug_id=47489%2C46802%2C43817 https://bugzilla.wikimedia.org/43817 Include short descriptions for extensions bundled in the release https://bugzilla.wikimedia.org/46802 Enabling extensions during install process displays empty readonly textbox on status page https://bugzilla.wikimedia.org/47489 white screen after no db selection I'll take a stab at these, but I appreciate any help you guys can give. Full release notes: https://www.mediawiki.org/wiki/Release_notes/1.21 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc4.tar.gz http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.tar.gz Patch to previous version (1.20.0), without interface text: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc4.patch… GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc4.tar.g… http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.patch.gz.s… http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc4.patch… Public keys: https://secure.wikimedia.org/keys.html Patches included since RC3: commit 29d3243339f836ad13a722762e4b0f7056ee3764 Author: Brad Jorsch <bjorsch(a)wikimedia.org> Date: Sun Mar 3 22:35:05 2013 -0500 Add parser method to call parser functions There is currently no straightforward way for anything to call a parser function and get the result. This abstracts out that portion of braceSubstitution() to allow this. The immediate motivation for this patch is to close bug 41769 against Scribunto, see I0138836654b0e34c5c23daaedcdf5d4f9d1c7ab2. Bug: 41769 Change-Id: I339b882010dedd714e7965e25ad650ed8b8cd48f commit c81f3673423021c92a8e08a207236b4d48b0bc46 Author: Timo Tijhof <ttijhof(a)wikimedia.org> Date: Tue Mar 26 18:59:07 2013 +0100 mw.loader: Guard against odd setTimeout behaviour in old Firefox Bug: 46575 Change-Id: I80af730daa815f0c273fe942c570d1f0144bbbb1 commit d43c43727c0273ab9a861b39a70609bfbe14a801 Author: PleaseStand <pleasestand(a)live.com> Date: Wed Apr 17 13:49:50 2013 +0000 Revert "Remove link to Special:ActiveUsers from Special:Statistics" Special:ActiveUsers still seems to be in REL1_21, and there is a pending change set (Ib43b4205) to add back the special page on the master branch. This reverts commit 4b2c7373f2ab6f701cbd7f371ad4b95829e34e70 Change-Id: I5669477091ada36ea28c33de1232d2b7e9d0b413 commit c6528bb73b99de3ae6a5f3d8493e9dc8a1eb9120 Author: csteipp <csteipp(a)wikimedia.org> Date: Mon Apr 15 13:42:02 2013 -0700 Sanitize $limitReport before outputting Prevents possible injection of "-->" and other HTML by extensions using the ParserLimitReport hook. bug: 46084 Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a (cherry picked from commit 69f96f65dd99e54b84e489e7d957b7526653474c) commit 73f30041f2cf4f5cac08bb3b37a38fa80832bec3 Author: csteipp <csteipp(a)wikimedia.org> Date: Mon Apr 15 13:44:23 2013 -0700 Disable external entities in XMLReader Temporarily disable loading entities in XMLReader when calling read() with libxml_disable_entity_loader(true). bug: 46859 Change-Id: I0b2ef270f15c7b4da17edee680bf7e2410919915 (cherry picked from commit 1ed76385c31f44c589f6e5a99c9c56f1f3f76728) commit 9c902fb78536566c3deb85cc1bfb033074520e22 Author: csteipp <csteipp(a)wikimedia.org> Date: Mon Apr 15 13:47:10 2013 -0700 Disable external entities in Import Temporarily disable loading entities in XMLReader when calling read() during import. (cherry picked from commit 77a8d576918b6a47b80a67a3653662a2d705d6c3) bug: 47251 Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964

1 0

1.21.0rc3 -- more bug fixes and testing
by Mark A. Hershberger 16 Apr '13

16 Apr '13

It is time again for a new MediaWiki release candidate. Download links at the end of this email. Note that I've include a "core-only" tarball this week as well. Since last week, the following fixes were included in the tarball: * https://gerrit.wikimedia.org/r/58418/ backport changes in Collation from master * https://gerrit.wikimedia.org/r/58462/ Cleared ResourceLoader blob store after update.php finishes. * https://gerrit.wikimedia.org/r/59102/ PHP Fatal error: Call to a member function isLocal() on non-object in Title.php * https://gerrit.wikimedia.org/r/59265/ Combine JavaScript and JSON encoding logic * https://gerrit.wikimedia.org/r/59328/ Fix pretty JSON when strings end with backslashes * https://gerrit.wikimedia.org/r/59329/ FormatJson: microoptimizations for UTF8_OK mode Fixes in queue: * https://gerrit.wikimedia.org/r/59369/ Disable $wgContentHandlerUseDB during upgrade where fields don't exist. * https://gerrit.wikimedia.org/r/59375/ Sanitize $limitReport before outputting * https://gerrit.wikimedia.org/r/59376/ Disable external entities in XMLReader * https://gerrit.wikimedia.org/r/59377/ Disable external entities in Import And, finally, if you want to pitch in, it isn't too late. Here is a list of bugs I'd like to get fixed before the final release: https://bugzilla.wikimedia.org/buglist.cgi?bug_id=46802,46401,44907,44568,4… <https://bugzilla.wikimedia.org/buglist.cgi?bug_id=46802,46401,44907,44568,4…> * http://bugzilla.wikimedia.org/43817 Include short descriptions for extensions bundled in the release * http://bugzilla.wikimedia.org/44294 MWException error - Error: invalid magic word 'speciale' * http://bugzilla.wikimedia.org/44568 bin/ulimit5.sh isn't UNIX compliant * http://bugzilla.wikimedia.org/44907 ResourceLoader: Invalid argument supplied for foreach * http://bugzilla.wikimedia.org/46401 [Regression] mw.loader: Code should execute after styles being loaded (wait for async cssText buffering) * http://bugzilla.wikimedia.org/46802 Enabling extensions during install process displays empty readonly textbox on status page Full release notes: https://www.mediawiki.org/wiki/Release_notes/1.21 ******************************************************************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc3.tar.gz <http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.tar.gz> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc3.tar.gz Patch to previous version (1.20.0), without interface text: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc3.patch.gz <http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.patch.gz> Interface text changes: http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc3.patch… <http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc2.patch…> GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc3.tar.gz.sig <http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.tar.gz.sig> http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc3.tar.g… <http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.tar.gz.sig> http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc3.patch.gz.s… <http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.patch.gz.s…> http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc3.patch… <http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc2.patch…> Public keys: https://secure.wikimedia.org/keys.html

1 0

MediaWiki 1.21rc2 -- More 1.21 testing
by Mark A. Hershberger 08 Apr '13

08 Apr '13

It is time again for a new MediaWiki release candidate. Since last week, patches to fix the following bugs were included in the tarball: Bug 46719: Remove link to Special:ActiveUsers from Special:Statistics Bug 46493: Handle invalid titles on ProtectedPages and ProtectedTitles Bug 46787: API: Fix rccontinue handling Bug 40617: Installer can now customize the logo in LocalSettings.php Newly reported, but not yet fixed, during testing of RC1: Bug 46943: Job queue items from 1.20 get lost – need exit strategy for upgrade Please download the release candidate and test it. If you find any bugs please report them on Bugzilla[1] and make sure I am added as a CC so that we can fix any show-stoppers before the final release. Don't forget to look over https://www.mediawiki.org/wiki/MediaWiki_1.21 and make any corrections or additions that are needed since I'll be using a (lightly edited) version of that to make the final announcement. Finally, I'll be preparing a third release candidate for next week. Quim Gil wants to do a testing week during that time. If you'd like to help me put together a testing plan for that week, let me know. [1] https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki&cc=mah@every… Full release notes: https://www.mediawiki.org/wiki/Release_notes/1.21 ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.tar.gz Patch to previous version (1.20.0), without interface text: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc2.patch… GPG signatures: http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc2.patch.gz.s… http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc2.patch… Public keys: https://secure.wikimedia.org/keys.html

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

MediaWiki-distributors April 2013