Thread View
j
: Next unread message
k
: Previous unread message
j a
: Jump to all threads
j l
: Jump to MailingList overview
I would like to announce the release of MediaWiki 1.35.6, 1.36.4 and 1.37.2!
These releases also serve as a maintenance release for these branches.
This is expected to be the final release in the 1.36 branch, which is due
to become EOL as of the end of May 2022.
While tarballs have already been uploaded as of this e-mail, git tags will
follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
T297754 only applies to MediaWiki >= 1.37. Therefore fixes have not been
back-ported to 1.35 or 1.36.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been back-ported
to all branches. This should fix a lot of log spam, and MediaWiki should
work on both versions.
Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be
back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/ and
https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant
work boards.
== Security fixes ==
* (T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not
escaped when used in galleries or Special:RevisionDelete.
* (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite
recursion loop if it points to a local interwiki.
* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many
file uploads with actor as a condition can result in a DoS.
* (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when
a page is used on a extremely large number of other pages.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T297543
* https://phabricator.wikimedia.org/T297571
* https://phabricator.wikimedia.org/T297731
* https://phabricator.wikimedia.org/T297754
== Release notes ==
Full release notes for 1.35.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.36.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.36
Full release notes for 1.37.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES…
https://www.mediawiki.org/wiki/Release_notes/1.37
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading >
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.6.zip
Patch to previous version (1.35.5):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.6.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.4.zip
Patch to previous version (1.36.3):
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.4.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.4.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.2.zip
Patch to previous version (1.37.1):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.2.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
Hi all,
On Thursday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.35.6
- 1.36.4
- 1.37.2
This will resolve four issues in MediaWiki core and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons. One issue
does not affect MediaWiki 1.35 and 1.36.
In addition to those, these releases will resolve other issues in MediaWiki
core and also include some fixes previously committed to git, including
minor security and hardening patches along with bug fixes included for
maintenance reasons.
We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.
As a reminder, 1.36 is due to become end of life (EOL) in May 2022. 1.36.4
is expected to be the last release for this branch. It is recommended to
upgrade to 1.37, or to 1.38 due to be released in May 2022.
[1] https://www.mediawiki.org/wiki/Version_lifecycle