Mailing List Archive

Security Release: 1.26.3, 1.25.6, and 1.23.14
I would like to announce the release of MediaWiki 1.26.3, 1.25.6 and
1.23.14.

These releases fix sixteen security issues in core, one issue in the bundled
extension SyntaxHighlight_GeSHi and one issue in the non-bundled
extension Scribunto.
Download links are given at the end of this email.

== Security fixes ==

* T122056: Old tokens are remaining valid within a new session
* T127114: Login throttle can be tricked using non-canonicalized usernames
* T123653: Cross-domain policy regexp is too narrow
* T123071: Incorrectly identifying http link in a's href attributes, due to
m modifier in regex
* T129506: MediaWiki:Gadget-popups.js isn't renderable
* T125283: Users occasionally logged in as different users after
SessionManager deployment
* T103239: Patrol allows click catching and patrolling of any page
* T122807: [tracking] Check php crypto primatives
* T98313: Graphs can leak tokens, leading to CSRF
* T130947: Diff generation should use PoolCounter
* T133507: Careless use of $wgExternalLinkTarget is insecure
* T132874: API action=move is not rate limited

This fix affects both core and SyntaxHighlight_GeSHi:
* T110143: strip markers can be used to get around html attribute escaping
in (many?) parser tags

These two fixes are not applicable to 1.23.14 as the 1.23 branch does not
contain pbkdf2 support.
* T116030: Increase pbkdf2 parameter strengths
* T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded

This fix is already in master and the 1.27 release branch, and is just being
backported to 1.23 and 1.25:
* T126685: Globally throttle password attempts

== Links to all mentioned tasks ==
https://phabricator.wikimedia.org/T122056
https://phabricator.wikimedia.org/T127114
https://phabricator.wikimedia.org/T123653
https://phabricator.wikimedia.org/T123071
https://phabricator.wikimedia.org/T129506
https://phabricator.wikimedia.org/T125283
https://phabricator.wikimedia.org/T103239
https://phabricator.wikimedia.org/T122807
https://phabricator.wikimedia.org/T98313
https://phabricator.wikimedia.org/T130947
https://phabricator.wikimedia.org/T133507
https://phabricator.wikimedia.org/T132874
https://phabricator.wikimedia.org/T110143
https://phabricator.wikimedia.org/T116030
https://phabricator.wikimedia.org/T127420
https://phabricator.wikimedia.org/T126685

== Release notes ==

Full release notes for 1.26.3:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.6:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.23.14:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
1.26.3
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.3.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
1.25.6
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.6.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
1.23.14
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.14.tar.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

-Chad H. & Chris S.
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce