[MediaWiki-announce] Security release: 1.27.5 / 1.29.3 / 1.30.1 / 1.31.1

Sam Reed reedy at wikimedia.org
Thu Sep 20 21:18:59 UTC 2018


I would like to announce the release of MediaWiki 1.31.1, 1.30.1, 1.29.3
and 1.27.5!

These releases fix 4 security issues in core and also includes some
previously
committed to git minor security and hardening patches. Download links are
given at the end of this email.

Patches will be pushed to Gerrit after this email is sent, and will land
into the relevant
branches as fast as our CI infrastructure allows. Git tags will follow soon
after. All related
tasks will be made public in Phabricator too in the following few hours.

Please note that July 2018 was the End-Of-Life date for MediaWiki 1.29. This
means that MediaWiki 1.29.3 will be the last security release for that
version, barring any unforeseen issues. We would strongly encourage users of
MediaWiki 1.29 to upgrade to MediaWiki 1.31, released in June 2018, or a yet
newer version as soon as possible. MediaWiki 1.31 will be supported until
July
2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more
information.

The patch files for this release are larger than normal as we are switching
to a new
release script that more aggressively removes dotfiles and other
development files.
Extensions missing from previous releases have been re-added, and
unnecessary
dependancies in vendor have been removed.

This release also serves as a maintenance release for these branches.

== Security fixes ==
* (T169545, CVE-2018-0503) $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) BotPasswords can bypass CentralAuth's account
lock.
  Reported by Rxy.
* (T187638, CVE-2018-0504) When a log event is (partially) hidden
  Special:Redirect/logid can link to the incorrect log and reveal hidden
information.
  Reported by JJMC89.
* (T193237) Special:BotPasswords should require reauthenticate. No CVE was
  issued since this is a hardening measure.

The following only affects the 1.31 tarball:
* (T199029, CVE-2018-13258) Tarball was missing .htaccess files.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T169545
* https://phabricator.wikimedia.org/T194605
* https://phabricator.wikimedia.org/T187638
* https://phabricator.wikimedia.org/T193237
* https://phabricator.wikimedia.org/T199029

== Release notes ==

Full release notes for 1.27.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27
https://www.mediawiki.org/wiki/Release_notes/1.27

Full release notes for 1.29.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29
https://www.mediawiki.org/wiki/Release_notes/1.29

Full release notes for 1.30.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30
https://www.mediawiki.org/wiki/Release_notes/1.30

Full release notes for 1.31.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz

Patch to previous version (1.27.4):
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz

Patch to previous version (1.29.2):
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz

Patch to previous version (1.30.0):
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz

Patch to previous version (1.31.0):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html


More information about the MediaWiki-announce mailing list