I would like to announce the release of MediaWiki 1.31.11 and 1.35.1!
These releases also serve as a maintenance release for these branches. Numerous fixes have been backported into 1.35, including some for PHP 8.0 support (though we are not declaring full PHP 8.0 support yet).
T268894 doesn't apply to MediaWiki 1.31, as the code was added in 1.35. Also, only one of the two fixes of T268938 apply to MediaWiki 1.31, as the code was not added until MediaWiki 1.33.
While tarballs have already been uploaded, git tags will follow later on today.
An "MediaWiki Extensions Security Release Supplement" email will follow this one.
== Security fixes == * (T268894, CVE-2020-35474) SECURITY: Message recentchanges-legend-watchlistexpiry can contain raw html. * (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current and userrights-expiry-none can contain raw html. * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html. * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users.
== Links to all mentioned tasks == * https://phabricator.wikimedia.org/T268894 * https://phabricator.wikimedia.org/T268917 * https://phabricator.wikimedia.org/T268938 * https://phabricator.wikimedia.org/T205908 * https://phabricator.wikimedia.org/T120883
== Release notes ==
Full release notes for 1.31.11: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.31
Full release notes for 1.35.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.35
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz
Patch to previous version (1.31.10): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz.... https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz
Patch to previous version (1.35.0): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz
GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz.sig
Public keys: https://www.mediawiki.org/keys/keys.html
wikitech-l@lists.wikimedia.org