MediaWiki-announce June 2019

mediawiki-announce@lists.wikimedia.org

1 participants
5 discussions

MediaWiki 1.33.0-rc.0 is ready for testing
by Sam Reed 07 Jun '19

07 Jun '19

I'm pleased to announce the immediate availability of MediaWiki 1.33.0-rc.0, the first release candidate for 1.33.x. Download links at the end of the e-mail. The tag has been signed and pushed to Git. This is not a final release and should not be used for production websites. Known issues are tracked in Phabricator on the release workboard [1]. As always please do try out the release candidate in a test environment and report any issues that you discover. Please use the #MW-1.33-Release [2] tag in Phabricator when reporting issues specific to this release. Preliminary release notes: https://phabricator.wikimedia.org/source/mediawiki/browse/REL1_33/RELEASE-N… https://www.mediawiki.org/wiki/Release_notes/1.33 MediaWiki core with bundled extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.0-rc.0.tar.gz Core only, no extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.0-rc.0.ta… GPG signatures: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.0-rc.0.ta… https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.0-rc.0.tar.gz.… Public keys: https://www.mediawiki.org/keys/keys.html Open Bugs: [1] https://phabricator.wikimedia.org/project/board/3386/ Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.33-…

1 0

Maintenance release: 1.27.7
by Sam Reed 06 Jun '19

06 Jun '19

Unfortunately a couple of issues have been noticed with MediaWiki 1.27.6. * Whilst back-porting patches to 1.27, a required use statement was missed from LogEventsList.php as it already existed in newer versions of MW. * Some broken tests added in ApiBlockTest were removed. MediaWiki 1.27.7 will be the last release for MediaWiki 1.27, barring any further unforeseen issues. Sorry for any inconvenience! == Release notes == Full release notes for 1.27.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.27 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.7.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.7.tar.gz Patch to previous version (1.27.6): https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.7.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.7.tar.gz.… https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.7.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 0

MediaWiki 1.27 and 1.30 are now End-of-Life
by Sam Reed 06 Jun '19

06 Jun '19

Hello! Just to make this explicit and not hidden in the depth of the 1.27.6/1.30.2/1.31.2/1.32.2 release announcement - MediaWiki 1.27 and 1.30 are now End-of-Life (EOL) as of Today and are therefore no longer supported. MediaWiki 1.27 has been slated to become EOL in June 2019 [1], and therefore the final release of the MediaWiki 1.27 branch in the form of 1.27.6 solidifies this. MediaWiki 1.30 was supposed to be EOL in December 2018 [1], but due to a lack of a release since 1.30.1 in September 2018, this hadn't formally happened. MediaWiki 1.30.2 therefore is the final release for the MediaWiki 1.30 branch. If you require an LTS version of MediaWiki, please upgrade to MediaWiki 1.31 which is supported until June 2021 [1]. If you don't require LTS support, you can upgrade to 1.32 which will be supported till January 2020 [1]. And as somewhat of a heads up, MediaWiki 1.33 is due to be released later this month [1]. Thanks! Sam [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

Security and maintenance release: 1.27.6 / 1.30.2 / 1.31.2 / 1.32.2
by Sam Reed 06 Jun '19

06 Jun '19

Hi all, I would like to announce the release of MediaWiki 1.32.2, 1.31.2, 1.30.2 and 1.27.6! These releases fix 11 security issues in core (not 12 as reported in the pre-release announcement. This was a mistake, sorry!) and also includes some previously committed to git as minor security and hardening patches. Download links are given at the end of this email. Patches will be pushed to Gerrit after this email is sent, and will land into the relevant branches as fast as our CI infrastructure allows. Git tags will follow soon after. All related tasks will be made public in Phabricator too in the following few hours. Please note that December 2018 was the End-Of-Life date for MediaWiki 1.30. This means that MediaWiki 1.30.2 will be the last security release for that version, barring any unforeseen issues. We would strongly encourage users of MediaWiki 1.30 to upgrade to MediaWiki 1.31 (LTS version), released in June 2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until July 2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more information. June 2019 is the scheduled End-Of-Life date for MediaWiki 1.27 (the old LTS version). This means that MediaWiki 1.27.6 will be the last security release for that version, barring any unforeseen issues. We would strongly encourage users of MediaWiki 1.27 to upgrade to MediaWiki 1.31 (LTS version), released in June 2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until July 2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more information. This release also serves as a maintenance release for these branches. == Security fixes == * (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover. * (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table. * (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script. * (T208881) blacklist CSS var(). * (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API. * (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly. * (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. * (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF). * (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags. * (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page. * (T221739, CVE-2019-11358) Fix potential XSS in jQuery. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T197279 * https://phabricator.wikimedia.org/T204729 * https://phabricator.wikimedia.org/T207603 * https://phabricator.wikimedia.org/T208881 * https://phabricator.wikimedia.org/T199540 * https://phabricator.wikimedia.org/T212118 * https://phabricator.wikimedia.org/T209794 * https://phabricator.wikimedia.org/T222036 * https://phabricator.wikimedia.org/T222038 * https://phabricator.wikimedia.org/T221739 * https://phabricator.wikimedia.org/T25227 == Release notes == Full release notes for 1.27.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.27 Full release notes for 1.30.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.30 Full release notes for 1.31.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.31 Full release notes for 1.32.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.32 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz Patch to previous version (1.27.5): https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz.… https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz Patch to previous version (1.30.1): https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz Patch to previous version (1.31.1): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz Patch to previous version (1.32.1): https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz Patch to previous version (1.33.1): https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 0

Security pre-release announcement: 1.27.6 / 1.30.2 / 1.31.2 / 1.32.2
by Sam Reed 05 Jun '19

05 Jun '19

Hi all, Tomorrow we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: 1.32.2 1.31.2 1.30.2 1.27.6 This will resolve 12 issues in MediaWiki core, and also includes some previously committed to git minor security and hardening patches. Fixes will be available in these respective release branches, and also master. Tarballs will be available for the above mentioned point releases as well. 1.30 was due to be previously announced as end of life [1], and as such 1.30.2 will be the final security and maintenance release barring any unforeseen issues. 1.27.6 will also be the final release for 1.27 (barring any unforeseen issues), which is scheduled to become end of life in June 2019 [1]. This security release includes fixes for MediaWiki core. [1] https://www.mediawiki.org/wiki/Version_lifecycle --- Sam Reed

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce June 2019