Mailing List Archive

Security and maintenance release: 1.31.9 / 1.34.3
I would like to announce the release of MediaWiki 1.34.3, and 1.31.9!

These releases also serve as a maintenance release for these branches.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

As mentioned in the pre-release announcement, this will potentially be the
final release of the MediaWiki 1.34 branch, barring any unforeseen issues.
For continued support in the future, you are advised to upgrade to
MediaWiki 1.35 in the near future.

The release announcement for MediaWiki 1.35 will follow this one before the
end of day tomorrow. MediaWiki 1.35 will be supported until September 2023.

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

== Release notes ==

Full release notes for 1.31.9:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.34.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
https://www.mediawiki.org/wiki/Release_notes/1.34

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz

Patch to previous version (1.31.8):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz

Patch to previous version (1.34.2):
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Security and maintenance release: 1.31.9 / 1.34.3 [ In reply to ]
Sorry all for the inconvenience.

There's a couple of issues relating to some of the backports in the
User/ActorMigration changes. As such, I would advise against applying these
patches unless you really know what you are doing.

Fixes are being worked on, and will hopefully be released in a few hours.

On Thu, 24 Sep 2020 at 16:05, Sam Reed <reedy@wikimedia.org> wrote:

> I would like to announce the release of MediaWiki 1.34.3, and 1.31.9!
>
> These releases also serve as a maintenance release for these branches.
>
> While tarballs have already been uploaded, git tags will follow later on
> today.
>
> An "MediaWiki Extensions Security Release Supplement" email will follow
> this one.
>
> As mentioned in the pre-release announcement, this will potentially be the
> final release of the MediaWiki 1.34 branch, barring any unforeseen issues.
> For continued support in the future, you are advised to upgrade to
> MediaWiki 1.35 in the near future.
>
> The release announcement for MediaWiki 1.35 will follow this one before
> the end of day tomorrow. MediaWiki 1.35 will be supported until September
> 2023.
>
> == Security fixes ==
> * (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
> `hideuser`, ignore hidden users.
> * (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
> Special:Contributions.
> * (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML
> within LogEventsList.
> * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
> firejail's --output functionality.
> * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs
> and 'style' attribute.
> * (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
> mw.message( ... ).parse().
> * (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
> correct database.
> * (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
> used.
> * (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced
> cross-wiki.
>
> == Links to all mentioned tasks ==
> * https://phabricator.wikimedia.org/T232568
> * https://phabricator.wikimedia.org/T255918
> * https://phabricator.wikimedia.org/T256171
> * https://phabricator.wikimedia.org/T258763
> * https://phabricator.wikimedia.org/T86738
> * https://phabricator.wikimedia.org/T115888
> * https://phabricator.wikimedia.org/T260485
> * https://phabricator.wikimedia.org/T251661
>
> == Release notes ==
>
> Full release notes for 1.31.9:
>
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
> https://www.mediawiki.org/wiki/Release_notes/1.31
>
> Full release notes for 1.34.3:
>
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
> https://www.mediawiki.org/wiki/Release_notes/1.34
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz
>
> Patch to previous version (1.31.8):
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz
>
> GPG signatures:
>
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz
>
> Patch to previous version (1.34.2):
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz
>
> GPG signatures:
>
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l