it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
Re: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.31.9 / 1.34.3
Chronologisch Thread
- From: Sam Reed <reedy AT wikimedia.org>
- To: MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>, mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
- Subject: Re: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.31.9 / 1.34.3
- Date: Thu, 24 Sep 2020 17:22:44 +0100
- List-archive: <https://lists.wikimedia.org/pipermail/mediawiki-announce/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
Sorry all for the inconvenience.
There's a couple of issues relating to some of the backports in the
User/ActorMigration changes. As such, I would advise against applying these
patches unless you really know what you are doing.
Fixes are being worked on, and will hopefully be released in a few hours.
On Thu, 24 Sep 2020 at 16:05, Sam Reed <reedy AT wikimedia.org> wrote:
> I would like to announce the release of MediaWiki 1.34.3, and 1.31.9!
>
> These releases also serve as a maintenance release for these branches.
>
> While tarballs have already been uploaded, git tags will follow later on
> today.
>
> An "MediaWiki Extensions Security Release Supplement" email will follow
> this one.
>
> As mentioned in the pre-release announcement, this will potentially be the
> final release of the MediaWiki 1.34 branch, barring any unforeseen issues.
> For continued support in the future, you are advised to upgrade to
> MediaWiki 1.35 in the near future.
>
> The release announcement for MediaWiki 1.35 will follow this one before
> the end of day tomorrow. MediaWiki 1.35 will be supported until September
> 2023.
>
> == Security fixes ==
> * (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
> `hideuser`, ignore hidden users.
> * (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
> Special:Contributions.
> * (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML
> within LogEventsList.
> * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
> firejail's --output functionality.
> * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs
> and 'style' attribute.
> * (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
> mw.message( ... ).parse().
> * (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
> correct database.
> * (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is
> used.
> * (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced
> cross-wiki.
>
> == Links to all mentioned tasks ==
> * https://phabricator.wikimedia.org/T232568
> * https://phabricator.wikimedia.org/T255918
> * https://phabricator.wikimedia.org/T256171
> * https://phabricator.wikimedia.org/T258763
> * https://phabricator.wikimedia.org/T86738
> * https://phabricator.wikimedia.org/T115888
> * https://phabricator.wikimedia.org/T260485
> * https://phabricator.wikimedia.org/T251661
>
> == Release notes ==
>
> Full release notes for 1.31.9:
>
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
> https://www.mediawiki.org/wiki/Release_notes/1.31
>
> Full release notes for 1.34.3:
>
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
> https://www.mediawiki.org/wiki/Release_notes/1.34
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz
>
> Patch to previous version (1.31.8):
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz
>
> GPG signatures:
>
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz
>
> Patch to previous version (1.34.2):
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz
>
> GPG signatures:
>
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.31.9 / 1.34.3, Sam Reed, 24.09.2020
- Re: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.31.9 / 1.34.3, Sam Reed, 24.09.2020
Archiv bereitgestellt durch MHonArc 2.6.19.