it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.7 / 1.37.3 / 1.38.2
Chronologisch Thread
- From: Sam Reed <reedy AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>
- Subject: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.7 / 1.37.3 / 1.38.2
- Date: Thu, 30 Jun 2022 21:36:30 +0100
- Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/>
- Authentication-results: mail.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=n9h9R5vM; dmarc=pass (policy=none) header.from=wikimedia.org; spf=pass (mail.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:1:208:80:154:21 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org
- List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
I would like to announce the release of MediaWiki 1.35.7, 1.37.3 and
1.38.2! There was no pre-release announcement as the security fixes being
included are low risk XSS vulnerabilites that aren't exploitable in the
default MediaWiki config. The patches have also been committed to git for a
while.
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded as of this e-mail, git tags will
follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been
back-ported to 1.35.
T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle
6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to
7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the
subsequent guzzlehttp/guzzle update in T311384.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported.
This should fix a lot of log spam, and MediaWiki should work on both
versions.
Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be
back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/ and
https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant
work boards.
== Security fixes ==
* (T308471) Username is not escaped in the "welcomeuser" message.
* (T308473) Username not escaped in the contributions-title message.
* (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.
* (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T308471
* https://phabricator.wikimedia.org/T308473
* https://phabricator.wikimedia.org/T309377
* https://phabricator.wikimedia.org/T311384
== Release notes ==
Full release notes for 1.35.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.37.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37
Full release notes for 1.38.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-1.38
https://www.mediawiki.org/wiki/Release_notes/1.38
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip
Patch to previous version (1.35.6):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip
Patch to previous version (1.37.2):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip
Patch to previous version (1.38.1):
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org
- [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.7 / 1.37.3 / 1.38.2, Sam Reed, 30.06.2022
Archiv bereitgestellt durch MHonArc 2.6.24.