I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and 1.23.14.
These releases fix sixteen security issues in core, one issue in the bundled extension SyntaxHighlight_GeSHi and one issue in the non-bundled extension Scribunto. Download links are given at the end of this email.
== Security fixes ==
* T122056: Old tokens are remaining valid within a new session * T127114: Login throttle can be tricked using non-canonicalized usernames * T123653: Cross-domain policy regexp is too narrow * T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex * T129506: MediaWiki:Gadget-popups.js isn't renderable * T125283: Users occasionally logged in as different users after SessionManager deployment * T103239: Patrol allows click catching and patrolling of any page * T122807: [tracking] Check php crypto primatives * T98313: Graphs can leak tokens, leading to CSRF * T130947: Diff generation should use PoolCounter * T133507: Careless use of $wgExternalLinkTarget is insecure * T132874: API action=move is not rate limited
This fix affects both core and SyntaxHighlight_GeSHi: * T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags
These two fixes are not applicable to 1.23.14 as the 1.23 branch does not contain pbkdf2 support. * T116030: Increase pbkdf2 parameter strengths * T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
This fix is already in master and the 1.27 release branch, and is just being backported to 1.23 and 1.25: * T126685: Globally throttle password attempts
== Links to all mentioned tasks == https://phabricator.wikimedia.org/T122056 https://phabricator.wikimedia.org/T127114 https://phabricator.wikimedia.org/T123653 https://phabricator.wikimedia.org/T123071 https://phabricator.wikimedia.org/T129506 https://phabricator.wikimedia.org/T125283 https://phabricator.wikimedia.org/T103239 https://phabricator.wikimedia.org/T122807 https://phabricator.wikimedia.org/T98313 https://phabricator.wikimedia.org/T130947 https://phabricator.wikimedia.org/T133507 https://phabricator.wikimedia.org/T132874 https://phabricator.wikimedia.org/T110143 https://phabricator.wikimedia.org/T116030 https://phabricator.wikimedia.org/T127420 https://phabricator.wikimedia.org/T126685
== Release notes ==
Full release notes for 1.26.3: https://www.mediawiki.org/wiki/Release_notes/1.26
Full release notes for 1.25.6: https://www.mediawiki.org/wiki/Release_notes/1.25
Full release notes for 1.23.14: https://www.mediawiki.org/wiki/Release_notes/1.23
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.26.3 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.25.6 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.23.14 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
-Chad H. & Chris S. _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Hi Chad,
It looks like the 1.23.14 release still has the version number 1.23.13. I'm seeing this both in the patch and in the full download.
~Rusty I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and 1.23.14.
These releases fix sixteen security issues in core, one issue in the bundled extension SyntaxHighlight_GeSHi and one issue in the non-bundled extension Scribunto. Download links are given at the end of this email.
== Security fixes ==
* T122056: Old tokens are remaining valid within a new session * T127114: Login throttle can be tricked using non-canonicalized usernames * T123653: Cross-domain policy regexp is too narrow * T123071: Incorrectly identifying http link in a's href attributes, due to m modifier in regex * T129506: MediaWiki:Gadget-popups.js isn't renderable * T125283: Users occasionally logged in as different users after SessionManager deployment * T103239: Patrol allows click catching and patrolling of any page * T122807: [tracking] Check php crypto primatives * T98313: Graphs can leak tokens, leading to CSRF * T130947: Diff generation should use PoolCounter * T133507: Careless use of $wgExternalLinkTarget is insecure * T132874: API action=move is not rate limited
This fix affects both core and SyntaxHighlight_GeSHi: * T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags
These two fixes are not applicable to 1.23.14 as the 1.23 branch does not contain pbkdf2 support. * T116030: Increase pbkdf2 parameter strengths * T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
This fix is already in master and the 1.27 release branch, and is just being backported to 1.23 and 1.25: * T126685: Globally throttle password attempts
== Links to all mentioned tasks == https://phabricator.wikimedia.org/T122056 https://phabricator.wikimedia.org/T127114 https://phabricator.wikimedia.org/T123653 https://phabricator.wikimedia.org/T123071 https://phabricator.wikimedia.org/T129506 https://phabricator.wikimedia.org/T125283 https://phabricator.wikimedia.org/T103239 https://phabricator.wikimedia.org/T122807 https://phabricator.wikimedia.org/T98313 https://phabricator.wikimedia.org/T130947 https://phabricator.wikimedia.org/T133507 https://phabricator.wikimedia.org/T132874 https://phabricator.wikimedia.org/T110143 https://phabricator.wikimedia.org/T116030 https://phabricator.wikimedia.org/T127420 https://phabricator.wikimedia.org/T126685
== Release notes ==
Full release notes for 1.26.3: https://www.mediawiki.org/wiki/Release_notes/1.26
Full release notes for 1.25.6: https://www.mediawiki.org/wiki/Release_notes/1.25
Full release notes for 1.23.14: https://www.mediawiki.org/wiki/Release_notes/1.23
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** 1.26.3 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.25.6 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** 1.23.14 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
-Chad H. & Chris S. _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Yes, it's been pointed out that I forgot to bump the version number in the tarballs. Sorry about that.
The tags in Git *will* contain the proper version.
-Chad
On Fri, May 20, 2016 at 10:47 AM Rusty Burchfield gicodewarrior@gmail.com wrote:
Hi Chad,
It looks like the 1.23.14 release still has the version number 1.23.13. I'm seeing this both in the patch and in the full download.
~Rusty I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and 1.23.14.
These releases fix sixteen security issues in core, one issue in the bundled extension SyntaxHighlight_GeSHi and one issue in the non-bundled extension Scribunto. Download links are given at the end of this email.
== Security fixes ==
- T122056: Old tokens are remaining valid within a new session
- T127114: Login throttle can be tricked using non-canonicalized usernames
- T123653: Cross-domain policy regexp is too narrow
- T123071: Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
- T129506: MediaWiki:Gadget-popups.js isn't renderable
- T125283: Users occasionally logged in as different users after
SessionManager deployment
- T103239: Patrol allows click catching and patrolling of any page
- T122807: [tracking] Check php crypto primatives
- T98313: Graphs can leak tokens, leading to CSRF
- T130947: Diff generation should use PoolCounter
- T133507: Careless use of $wgExternalLinkTarget is insecure
- T132874: API action=move is not rate limited
This fix affects both core and SyntaxHighlight_GeSHi:
- T110143: strip markers can be used to get around html attribute escaping
in (many?) parser tags
These two fixes are not applicable to 1.23.14 as the 1.23 branch does not contain pbkdf2 support.
- T116030: Increase pbkdf2 parameter strengths
- T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
This fix is already in master and the 1.27 release branch, and is just being backported to 1.23 and 1.25:
- T126685: Globally throttle password attempts
== Links to all mentioned tasks == https://phabricator.wikimedia.org/T122056 https://phabricator.wikimedia.org/T127114 https://phabricator.wikimedia.org/T123653 https://phabricator.wikimedia.org/T123071 https://phabricator.wikimedia.org/T129506 https://phabricator.wikimedia.org/T125283 https://phabricator.wikimedia.org/T103239 https://phabricator.wikimedia.org/T122807 https://phabricator.wikimedia.org/T98313 https://phabricator.wikimedia.org/T130947 https://phabricator.wikimedia.org/T133507 https://phabricator.wikimedia.org/T132874 https://phabricator.wikimedia.org/T110143 https://phabricator.wikimedia.org/T116030 https://phabricator.wikimedia.org/T127420 https://phabricator.wikimedia.org/T126685
== Release notes ==
Full release notes for 1.26.3: https://www.mediawiki.org/wiki/Release_notes/1.26
Full release notes for 1.25.6: https://www.mediawiki.org/wiki/Release_notes/1.25
Full release notes for 1.23.14: https://www.mediawiki.org/wiki/Release_notes/1.23
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
1.26.3
Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
1.25.6
Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
1.23.14
Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
-Chad H. & Chris S. _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Sent from my mobile phone, please excuse any typos. Il 20 mag 2016 7:08 PM, "Chad" innocentkiller@gmail.com ha scritto:
I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and 1.23.14.
These releases fix sixteen security issues in core, one issue in the bundled extension SyntaxHighlight_GeSHi and one issue in the non-bundled extension Scribunto. Download links are given at the end of this email.
== Security fixes ==
- T122056: Old tokens are remaining valid within a new session
- T127114: Login throttle can be tricked using non-canonicalized usernames
- T123653: Cross-domain policy regexp is too narrow
- T123071: Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
- T129506: MediaWiki:Gadget-popups.js isn't renderable
- T125283: Users occasionally logged in as different users after
SessionManager deployment
- T103239: Patrol allows click catching and patrolling of any page
- T122807: [tracking] Check php crypto primatives
- T98313: Graphs can leak tokens, leading to CSRF
- T130947: Diff generation should use PoolCounter
- T133507: Careless use of $wgExternalLinkTarget is insecure
- T132874: API action=move is not rate limited
This fix affects both core and SyntaxHighlight_GeSHi:
- T110143: strip markers can be used to get around html attribute escaping
in (many?) parser tags
These two fixes are not applicable to 1.23.14 as the 1.23 branch does not contain pbkdf2 support.
- T116030: Increase pbkdf2 parameter strengths
- T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
This fix is already in master and the 1.27 release branch, and is just being backported to 1.23 and 1.25:
- T126685: Globally throttle password attempts
== Links to all mentioned tasks == https://phabricator.wikimedia.org/T122056 https://phabricator.wikimedia.org/T127114 https://phabricator.wikimedia.org/T123653 https://phabricator.wikimedia.org/T123071 https://phabricator.wikimedia.org/T129506 https://phabricator.wikimedia.org/T125283 https://phabricator.wikimedia.org/T103239 https://phabricator.wikimedia.org/T122807 https://phabricator.wikimedia.org/T98313 https://phabricator.wikimedia.org/T130947 https://phabricator.wikimedia.org/T133507 https://phabricator.wikimedia.org/T132874 https://phabricator.wikimedia.org/T110143 https://phabricator.wikimedia.org/T116030 https://phabricator.wikimedia.org/T127420 https://phabricator.wikimedia.org/T126685
== Release notes ==
Full release notes for 1.26.3: https://www.mediawiki.org/wiki/Release_notes/1.26
Full release notes for 1.25.6: https://www.mediawiki.org/wiki/Release_notes/1.25
Full release notes for 1.23.14: https://www.mediawiki.org/wiki/Release_notes/1.23
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
1.26.3
Download: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
1.25.6
Download: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.s...
Public keys: https://www.mediawiki.org/keys/keys.html
1.23.14
Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz
Patch to previous version: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz....
Public keys: https://www.mediawiki.org/keys/keys.html
-Chad H. & Chris S. _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
wikitech-l@lists.wikimedia.org