Mailing List Archive

Security and maintenance release: 1.31.16 / 1.35.4 / 1.36.2
I would like to announce the release of MediaWiki 1.31.16, 1.35.4 and
1.36.2!

These releases also serve as a maintenance release for these branches.

This is the final release of the 1.31 branch, and it is considered EOL as
of today, September 30, 2021.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

== Security fixes ==
* (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.
* (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full
table scan.
* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of
Special:Contributions.

=== Extension security fixes ===
* (T279090, CVE-2021-41801) SECURITY: ReplaceText continues performing
actions if the user no longer has the correct permission (such as by being
blocked).

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T285515
* https://phabricator.wikimedia.org/T290379
* https://phabricator.wikimedia.org/T284419
* https://phabricator.wikimedia.org/T279090

== Release notes ==

Full release notes for 1.31.16:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.35.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.36.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES-1.36
https://www.mediawiki.org/wiki/Release_notes/1.36

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.16.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.16.zip

Patch to previous version (1.31.15):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.patch.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.16.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.16.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.16.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.4.zip

Patch to previous version (1.35.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.4.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.2.zip

Patch to previous version (1.36.1):
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html