[IT-SecNots] [MediaWiki-announce] Security pre-release announcement: 1.35.5 / 1.36.3 / 1.37.1

[Sam Reed <reedy AT wikimedia.org>]

Hi all,

On Wednesday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.

The new releases will be:

- 1.35.5
- 1.36.3
- 1.37.1

This release includes fixes for multiple high severity authorization
bypasses in MediaWiki core, it is recommended you patch immediately. A
short LocalSettings.php configuration snippet will also be shared to
disable the vulnerable functionality if you are unable to patch right away.
This snippet should work across all vulnerable MediaWiki versions,
including end-of-life ones.

In addition to that, this will resolve other issues in MediaWiki core and
also includes some fixes previously committed to git, including minor
security and hardening patches along with bug fixes included for
maintenance reasons.

It also fixes 2 issues in MediaWiki tarball bundled extensions.

We will make the fixes available in these respective release branches and
master. Tarballs will be available for the above mentioned point releases
as well.

A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org