Thank you -- Sent from myMail for Android Thursday, 08 April 2021, 03:35PM -04:00 from Sam Reed [email protected] :
>I would like to announce the release of MediaWiki 1.31.13 and 1.35.2! > >These releases also serve as a maintenance release for these branches. >Numerous fixes have been backported into 1.35, including some for PHP 8.0 >support (though we are not declaring full PHP 8.0 support yet). > >This is the first MediaWiki release where zip files are included too. This is >due to some issues with the tarballs for some users with certain extraction >applications. > >Composer 2.0 is also now supported on MediaWiki 1.35.2. > >MediaWiki also has a new logo as of these releases. > >T270453 does not apply to MediaWiki 1.31.13, as VisualEditor is not bundled. >However the patch will be backported to the 1.31 branch if you use >VisualEditor, and you should pick up the update from the usual places. > >T279451 also does not apply to MediaWiki 1.31.13, as Parsoid is not bundled. >If you use the node.js service, it is recommended to update this. > >T276843 has been fixed in different ways on MediaWiki 1.31.13 and MediaWiki >1.35.2. On the former, we have just disabled the known vulnerable lexers. On >1.35.2, we have upgraded pygments from 2.5.2 to 2.7.4. > >While tarballs have already been uploaded, git tags will follow later on today. > >An "MediaWiki Extensions Security Release Supplement" email will follow this >one. > >== Security fixes == >* (T270453, CVE-2021-30153) SECURITY: ApiVisualEditor leaks info about hidden >users. >* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they >have right to do so via action=protect. >* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can >create pages. >* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast >double move. >* (T276843, CVE-2021-20270, CVE-2021-27291) SECURITY: Various SyntaxHighlight >lexers are vulnerable to DoS. >* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access >Special:ResetTokens. >* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages >on Special:NewFiles. >* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages >onChangesList pages. >* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for >inserting mostly arbitrary tags. > >== Links to all mentioned tasks == >* https://phabricator.wikimedia.org/T270453 >* https://phabricator.wikimedia.org/T270713 >* https://phabricator.wikimedia.org/T270988 >* https://phabricator.wikimedia.org/T272386 >* https://phabricator.wikimedia.org/T276843 >* https://phabricator.wikimedia.org/T277009 >* https://phabricator.wikimedia.org/T278014 >* https://phabricator.wikimedia.org/T278058 >* https://phabricator.wikimedia.org/T279451 > >== Release notes == > >Full release notes for 1.31.13: >https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 >https://www.mediawiki.org/wiki/Release_notes/1.31 > >Full release notes for 1.35.2: >https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35 >https://www.mediawiki.org/wiki/Release_notes/1.35 > >For information about how to upgrade, see < https://www.mediawiki.org/wiki/Manual:Upgrading> > >********************************************************************** >Download: >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip > >Download without bundled extensions: >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip > >Patch to previous version (1.31.12): >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip > >GPG signatures: >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz.sig >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip.sig >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz.sig >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip.sig >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz.sig >https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip.sig > >Public keys: >https://www.mediawiki.org/keys/keys.html > >********************************************************************** >Download: >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.tar.gz >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.zip > >Download without bundled extensions: >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip > >Patch to previous version (1.35.1): >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.gz >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.zip > >GPG signatures: >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz.sig >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip.sig >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.tar.gz.sig >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.zip.sig >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.gz.sig >https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.zip.sig > >Public keys: >https://www.mediawiki.org/keys/keys.html >_______________________________________________ >MediaWiki-l mailing list >To unsubscribe, go to: >https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
