Hello,
If I’m not mistaken, the Git tag 1.36.3 has not been published. Comparing with the .tar.gz
it is almost identical to 77a1df84ea except the RELEASE-NOTES-1.36.
Thanks,
Sébastien
Le 15/12/2021 à 20:28, Sam Reed a écrit :
> I would like to announce the release of MediaWiki 1.35.5, 1.36.3 and 1.37.1!
>
> This release fixes multiple high severity authorization bypasses in MediaWiki core
that both allow for reading private wikis and editing arbitrary pages on any wiki.
>
> If you do not have time to upgrade right away, please set the following at the bottom
of your LocalSettings.php to disable the vulnerable code immediately:
>
> $wgActions['mcrundo'] = false;
> $wgActions['mcrrestore'] = false;
> $wgWhitelistRead = [];
> $wgWhitelistReadRegexp = [];
>
> This will also work for vulnerable end-of-life MediaWiki versions that do not have a
patch available.
>
> A more detailed FAQ about these issues is available at
https://www.mediawiki.org/wiki/2021-12_security_release/FAQ
<https://www.mediawiki.org/wiki/2021-12_security_release/FAQ>
>
> These releases also serve as a maintenance release for these branches.
>
> Note that the patches are much larger than recent previous security and maintenance
releases. This is due to the re-introduction of translation backports. These include the
export of new languages that have met the translation threshold in the development branch
of MediaWiki. These translation updates are for both MediaWiki core and the bundled skins
and extensions. In the case of MediaWiki 1.35, this is translation updates going back 18
months, hence the size of the patch.
>
> While tarballs have already been uploaded as of this e-mail, git tags will follow
later on today.
>
> An "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
>
> Finally, a big thanks to all those involved in reporting, investigating and fixing
these issues.
>
> == Security fixes ==
> * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search
results from private wikis.
> * (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via
Special:ChangeContentModel.
> * (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the
content of arbitrary pages.
> * (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis
using various actions.
> * (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using
rollback action
>
> === Extension security fixes ===
> * (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.
> * (T294686) Special:Nuke doesn't actually delete pages.
>
> == Links to all mentioned tasks ==
> *
https://phabricator.wikimedia.org/T294686
<https://phabricator.wikimedia.org/T294686>
> *
https://phabricator.wikimedia.org/T297322
<https://phabricator.wikimedia.org/T297322>
> *
https://phabricator.wikimedia.org/T293589
<https://phabricator.wikimedia.org/T293589>
> *
https://phabricator.wikimedia.org/T292763
<https://phabricator.wikimedia.org/T292763>
> *
https://phabricator.wikimedia.org/T271037
<https://phabricator.wikimedia.org/T271037>
>
> == Release notes ==
>
> Full release notes for 1.35.5:
>
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES…
<https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35>
>
https://www.mediawiki.org/wiki/Release_notes/1.35
<https://www.mediawiki.org/wiki/Release_notes/1.35>
>
> Full release notes for 1.36.3:
>
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES…
<https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES-1.36>
>
https://www.mediawiki.org/wiki/Release_notes/1.36
<https://www.mediawiki.org/wiki/Release_notes/1.36>
>
> Full release notes for 1.37.1:
>
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES…
<https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37>
>
https://www.mediawiki.org/wiki/Release_notes/1.37
<https://www.mediawiki.org/wiki/Release_notes/1.37>
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading
<https://www.mediawiki.org/wiki/Manual:Upgrading>>
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip>
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip>
>
> Patch to previous version (1.36.2):
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip>
>
> GPG signatures:
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz.…
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip.sig
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz.sig
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip.sig
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz.sig
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip.sig
<https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip.sig>
>
> Public keys:
>
https://www.mediawiki.org/keys/keys.html
<https://www.mediawiki.org/keys/keys.html>
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip>
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip>
>
> Patch to previous version (1.37.0):
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip>
>
> GPG signatures:
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz.…
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip.sig
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz.sig
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip.sig
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz.sig
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip.sig
<https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip.sig>
>
> Public keys:
>
https://www.mediawiki.org/keys/keys.html
<https://www.mediawiki.org/keys/keys.html>
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip>
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip>
>
> Patch to previous version (1.35.4):
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip>
>
> GPG signatures:
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz.…
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip.sig
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz.sig
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip.sig
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip.sig>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz.sig
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz.sig>
>
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip.sig
<https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip.sig>
>
> Public keys:
>
https://www.mediawiki.org/keys/keys.html
<https://www.mediawiki.org/keys/keys.html>
>
> _______________________________________________
> Wikitech-l mailing list -- wikitech-l(a)lists.wikimedia.org
> To unsubscribe send an email to wikitech-l-leave(a)lists.wikimedia.org
>
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
>