Thread View
j
: Next unread message
k
: Previous unread message
j a
: Jump to all threads
j l
: Jump to MailingList overview
Hello!
Just to make this explicit and not hidden in the depth of the
1.27.6/1.30.2/1.31.2/1.32.2 release announcement - MediaWiki 1.27 and 1.30
are
now End-of-Life (EOL) as of Today and are therefore no longer supported.
MediaWiki 1.27 has been slated to become EOL in June 2019 [1], and
therefore the
final release of the MediaWiki 1.27 branch in the form of 1.27.6 solidifies
this.
MediaWiki 1.30 was supposed to be EOL in December 2018 [1], but due to a
lack of
a release since 1.30.1 in September 2018, this hadn't formally happened.
MediaWiki 1.30.2 therefore is the final release for the MediaWiki 1.30
branch.
If you require an LTS version of MediaWiki, please upgrade to MediaWiki 1.31
which is supported until June 2021 [1]. If you don't require LTS support,
you
can upgrade to 1.32 which will be supported till January 2020 [1].
And as somewhat of a heads up, MediaWiki 1.33 is due to be released later
this
month [1].
Thanks!
Sam
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hi all,
I would like to announce the release of MediaWiki 1.32.2, 1.31.2, 1.30.2
and 1.27.6!
These releases fix 11 security issues in core (not 12 as reported in the
pre-release announcement. This was a mistake, sorry!) and also includes
some previously committed to git as minor security and hardening patches.
Download links are given at the end of this email.
Patches will be pushed to Gerrit after this email is sent, and will land
into the relevant branches as fast as our CI infrastructure allows.
Git tags will follow soon after. All related tasks will be made public
in Phabricator too in the following few hours.
Please note that December 2018 was the End-Of-Life date for MediaWiki
1.30. This means that MediaWiki 1.30.2 will be the last security release for
that version, barring any unforeseen issues. We would strongly encourage
users
of MediaWiki 1.30 to upgrade to MediaWiki 1.31 (LTS version), released in
June
2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be
supported until July 2021. See
<https://www.mediawiki.org/wiki/Version_lifecycle > for more information.
June 2019 is the scheduled End-Of-Life date for MediaWiki 1.27 (the old LTS
version). This means that MediaWiki 1.27.6 will be the last security
release for
that version, barring any unforeseen issues. We would strongly encourage
users
of MediaWiki 1.27 to upgrade to MediaWiki 1.31 (LTS version), released in
June
2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be
supported until July 2021. See
<https://www.mediawiki.org/wiki/Version_lifecycle > for more information.
This release also serves as a maintenance release for these branches.
== Security fixes ==
* (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would
allow
for bypassing reauthentication, allowing for potential account takeover.
* (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a
DoS
by querying the entire `watchlist` table.
* (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent
account
allows anyone to create the account, and XSS the users' loading that
script.
* (T208881) blacklist CSS var().
* (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range
blocks (`$wgBlockCIDRLimit`) by using the API.
* (T212118, CVE-2019-12474) Privileged API responses that include whether a
recent change has been patrolled may be cached publicly.
* (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send
out
spam with no rate limiting or ability to block them.
* (T25227, CVE-2019-12466) An account can be logged out without using a
token
(CSRF).
* (T222036, CVE-2019-12469) Exposed suppressed username or log in
Special:EditTags.
* (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
* (T221739, CVE-2019-11358) Fix potential XSS in jQuery.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T197279
* https://phabricator.wikimedia.org/T204729
* https://phabricator.wikimedia.org/T207603
* https://phabricator.wikimedia.org/T208881
* https://phabricator.wikimedia.org/T199540
* https://phabricator.wikimedia.org/T212118
* https://phabricator.wikimedia.org/T209794
* https://phabricator.wikimedia.org/T222036
* https://phabricator.wikimedia.org/T222038
* https://phabricator.wikimedia.org/T221739
* https://phabricator.wikimedia.org/T25227
== Release notes ==
Full release notes for 1.27.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.27
Full release notes for 1.30.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.30
Full release notes for 1.31.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.31
Full release notes for 1.32.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.32
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading >
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz
Patch to previous version (1.27.5):
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz
Patch to previous version (1.30.1):
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz
Patch to previous version (1.31.1):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz
Patch to previous version (1.32.1):
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz
Patch to previous version (1.33.1):
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
1.32.2
1.31.2
1.30.2
1.27.6
This will resolve 12 issues in MediaWiki core, and also includes some
previously committed to git minor security and hardening patches.
Fixes will be available in these respective release branches,
and also master. Tarballs will be available for the above mentioned
point releases as well.
1.30 was due to be previously announced as end of life [1], and as
such 1.30.2 will be the final security and maintenance release
barring any unforeseen issues.
1.27.6 will also be the final release for 1.27 (barring any unforeseen
issues), which is scheduled to become end of life in June 2019 [1].
This security release includes fixes for MediaWiki core.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
---
Sam Reed