[MediaWiki-announce] Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12

Chad innocentkiller at gmail.com
Fri Dec 18 00:25:59 UTC 2015


I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5,
and
1.23.12.

These releases fix five security issues in core, in addition to other bug
fixes. Download links are given at the end of this email

== Security fixes ==

(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error

(T119309) SECURITY: Use hash_compare() for edit token comparison

(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with
'@' as file uploads

(T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer
be shorter than $wgMinimalPasswordLength

(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued

(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and
related pages no longer use HTTP redirects and are now redirected by
MediaWiki

== Note about EOL of 1.24.x ==

Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0
but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.

== Release notes ==

Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>

Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
   1.26.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.1.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.25.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.4.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.24.5
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.5.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.23.12
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H. & Chris S.


More information about the MediaWiki-announce mailing list