Hello everyone, I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch. == Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 == * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. == Bugfixes == * (bug T74222) The original patch for T74222 was reverted as unnecessary. * Fixed a couple of entries in RELEASE-NOTES-1.24. * (bug T76168) OutputPage: Add accessors for some protected properties. * (bug T74834) Make 1.24 branch directly installable under PostgreSQL. * Add missing $ in front of variable in OutputPage.php == Security fixes in extensions == * (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters. * (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches. * (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed * (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts. * (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing * (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053. Full release notes for 1.24.1: <https://www.mediawiki.org/wiki/Release_notes/1.24> Full release notes for 1.23.8: <https://www.mediawiki.org/wiki/Release_notes/1.23> Full release notes for 1.22.15: <https://www.mediawiki.org/wiki/Release_notes/1.22> Full release notes for 1.19.23: <https://www.mediawiki.org/wiki/Release_notes/1.19> Public keys: <https://www.mediawiki.org/keys/keys.html> ********************************************************************** 1.24.1 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz Patch to previous version (1.24.0): https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz.sig ********************************************************************** 1.23.8 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz Patch to previous version (1.23.7): https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.8.tar.gz.… https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz.sig ********************************************************************** 1.22.15 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz Patch to previous version (1.22.14): https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.15.tar.gz… https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz.sig ********************************************************************** 1.19.23 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz Patch to previous version (1.19.22): https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.23.tar.gz… https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz.sig Markus Glaser (Wiki Release Team)