I would like to announce the release of MediaWiki 1.35.5, 1.36.3 and 1.37.1!

This release fixes multiple high severity authorization bypasses in MediaWiki core that both allow for reading private wikis and editing arbitrary pages on any wiki.

If you do not have time to upgrade right away, please set the following at the bottom of your LocalSettings.php to disable the vulnerable code immediately:

  $wgActions['mcrundo'] = false;
  $wgActions['mcrrestore'] = false;
  $wgWhitelistRead = [];
  $wgWhitelistReadRegexp = [];

This will also work for vulnerable end-of-life MediaWiki versions that do not have a patch available.

A more detailed FAQ about these issues is available at https://www.mediawiki.org/wiki/2021-12_security_release/FAQ

These releases also serve as a maintenance release for these branches.

Note that the patches are much larger than recent previous security and maintenance releases. This is due to the re-introduction of translation backports. These include the export of new languages that have met the translation threshold in the development branch of MediaWiki. These translation updates are for both MediaWiki core and the bundled skins and extensions. In the case of MediaWiki 1.35, this is translation updates going back 18 months, hence the size of the patch.

While tarballs have already been uploaded as of this e-mail, git tags will follow later on today.

An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.

Finally, a big thanks to all those involved in reporting, investigating and fixing these issues.

== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

=== Extension security fixes ===
* (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.
* (T294686) Special:Nuke doesn't actually delete pages.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T294686
* https://phabricator.wikimedia.org/T297322
* https://phabricator.wikimedia.org/T293589
* https://phabricator.wikimedia.org/T292763
* https://phabricator.wikimedia.org/T271037

== Release notes ==

Full release notes for 1.35.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.36.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES-1.36
https://www.mediawiki.org/wiki/Release_notes/1.36

Full release notes for 1.37.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip

Patch to previous version (1.36.2):
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip

Patch to previous version (1.37.0):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip

Patch to previous version (1.35.4):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html