I would like to announce the release of MediaWiki 1.35.7, 1.37.3 and
1.38.2! There was no pre-release announcement as the security fixes being
included are low risk XSS vulnerabilites that aren't exploitable in the
default MediaWiki config. The patches have also been committed to git for a
while.
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded as of this e-mail, git tags will
follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been
back-ported to 1.35.
T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle
6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to
7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the
subsequent guzzlehttp/guzzle update in T311384.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported.
This should fix a lot of log spam, and MediaWiki should work on both
versions.
Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be
back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/ and
https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant
work boards.
== Security fixes ==
* (T308471) Username is not escaped in the "welcomeuser" message.
* (T308473) Username not escaped in the contributions-title message.
* (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.
* (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T308471
* https://phabricator.wikimedia.org/T308473
* https://phabricator.wikimedia.org/T309377
* https://phabricator.wikimedia.org/T311384
== Release notes ==
Full release notes for 1.35.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.37.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37
Full release notes for 1.38.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-1.38
https://www.mediawiki.org/wiki/Release_notes/1.38
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip
Patch to previous version (1.35.6):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip
Patch to previous version (1.37.2):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip
Patch to previous version (1.38.1):
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave@lists.wikimedia.org
1.38.2! There was no pre-release announcement as the security fixes being
included are low risk XSS vulnerabilites that aren't exploitable in the
default MediaWiki config. The patches have also been committed to git for a
while.
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded as of this e-mail, git tags will
follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been
back-ported to 1.35.
T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle
6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to
7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the
subsequent guzzlehttp/guzzle update in T311384.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported.
This should fix a lot of log spam, and MediaWiki should work on both
versions.
Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be
back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/ and
https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant
work boards.
== Security fixes ==
* (T308471) Username is not escaped in the "welcomeuser" message.
* (T308473) Username not escaped in the contributions-title message.
* (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.
* (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T308471
* https://phabricator.wikimedia.org/T308473
* https://phabricator.wikimedia.org/T309377
* https://phabricator.wikimedia.org/T311384
== Release notes ==
Full release notes for 1.35.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.37.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37
Full release notes for 1.38.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-1.38
https://www.mediawiki.org/wiki/Release_notes/1.38
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip
Patch to previous version (1.35.6):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip
Patch to previous version (1.37.2):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip
Patch to previous version (1.38.1):
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce@lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave@lists.wikimedia.org