[Systems] Fwd: [MediaWiki-announce] Security and maintenance release: 1.31.9 / 1.34.3
Bernie Innocenti
bernie at codewiz.org
Thu Sep 24 15:13:02 EDT 2020
-------- Forwarded Message --------
Subject: [MediaWiki-announce] Security and maintenance release: 1.31.9
/ 1.34.3
Date: Thu, 24 Sep 2020 16:05:38 +0100
From: Sam Reed <reedy at wikimedia.org>
Reply-To: wikitech-l at lists.wikimedia.org
To: MediaWiki announcements and site admin list
<mediawiki-l at lists.wikimedia.org>,
mediawiki-announce at lists.wikimedia.org, wikitech-l at lists.wikimedia.org
I would like to announce the release of MediaWiki 1.34.3, and 1.31.9!
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded, git tags will follow later on
today.
An "MediaWiki Extensions Security Release Supplement" email will follow
this one.
As mentioned in the pre-release announcement, this will potentially be the
final release of the MediaWiki 1.34 branch, barring any unforeseen issues.
For continued support in the future, you are advised to upgrade to
MediaWiki 1.35 in the near future.
The release announcement for MediaWiki 1.35 will follow this one before the
end of day tomorrow. MediaWiki 1.35 will be supported until September 2023.
== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661
== Release notes ==
Full release notes for 1.31.9:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31
Full release notes for 1.34.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
https://www.mediawiki.org/wiki/Release_notes/1.34
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz
Patch to previous version (1.31.8):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz
Patch to previous version (1.34.2):
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20200925/0bf00355/attachment.htm>
More information about the Systems
mailing list