[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.31.11 / 1.35.1

[Sam Reed <reedy AT wikimedia.org>]

I would like to announce the release of MediaWiki 1.31.11 and 1.35.1!

These releases also serve as a maintenance release for these branches.
Numerous fixes have been backported into 1.35, including some for PHP 8.0
support (though we are not declaring full PHP 8.0 support yet).

T268894 doesn't apply to MediaWiki 1.31, as the code was added in 1.35.
Also, only one of the two fixes of T268938 apply to MediaWiki 1.31, as the
code was not added until MediaWiki 1.33.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

== Security fixes ==
* (T268894, CVE-2020-35474) SECURITY: Message
recentchanges-legend-watchlistexpiry can contain raw html.
* (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current
and userrights-expiry-none can contain raw html.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can
output raw html.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log
entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions
and user pages of hidden users and missing users.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T268894
* https://phabricator.wikimedia.org/T268917
* https://phabricator.wikimedia.org/T268938
* https://phabricator.wikimedia.org/T205908
* https://phabricator.wikimedia.org/T120883

== Release notes ==

Full release notes for 1.31.11:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.35.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz

Patch to previous version (1.31.10):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz

Patch to previous version (1.35.0):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce