it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.8 / 1.37.4 / 1.38.3
Chronologisch Thread
- From: Sam Reed <reedy AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>, wikitech-l AT lists.wikimedia.org
- Subject: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.8 / 1.37.4 / 1.38.3
- Date: Thu, 29 Sep 2022 19:57:49 +0100
- Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/>
- Authentication-results: mail.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=I1Yrl5Xz; spf=pass (mail.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:1:208:80:154:21 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org; dmarc=pass (policy=none) header.from=wikimedia.org
- List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
I would like to announce the release of MediaWiki 1.35.8, 1.37.5 and 1.38.3!
These releases also serve as a maintenance release for these branches.
The tarballs have already been uploaded as of this e-mail; the git tags
will follow later on today.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
T307278 only applies to MediaWiki >= 1.37. Therefore the fix has not been
back-ported to 1.35.
All three fixes apply to the pre-release 1.39, and will be included in the
upcoming 1.39.0-rc.1 release. They will be merged into the REL1_39 branch
later today.
Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been
back-ported. This should fix a lot of log spam, and MediaWiki should work
on both released versions (PHP 8.0 and 8.1).
Reports of bugs with PHP 8.0, 8.1, or 8.2 support are particularly welcome,
and fixes will be back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/ and
https://phabricator.wikimedia.org/tag/php_8.2_support/ for the relevant
work boards.
As a reminder, 1.37 is due to become end of life (EOL) in November 2022.
1.37.5 is expected to be the last release for this branch. It is
recommended to upgrade to 1.38, or to 1.39 (the next LTS after 1.35) due to
be released in November 2022.
== Security fixes ==
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
of hidden users.
* (T307278, CVE-2022-41766) SECURITY: On action=rollback the message
"alreadyrolled" can leak revision deleted user name.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T316304
* https://phabricator.wikimedia.org/T309894
* https://phabricator.wikimedia.org/T307278
== Release notes ==
Full release notes for 1.35.8:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.37.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37
Full release notes for 1.38.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-1.38
https://www.mediawiki.org/wiki/Release_notes/1.38
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.8.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.8.zip
Patch to previous version (1.35.7):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.8.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.8.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.5.zip
Patch to previous version (1.37.4):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.5.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.3.zip
Patch to previous version (1.38.2):
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.3.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org
- [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.8 / 1.37.4 / 1.38.3, Sam Reed, 29.09.2022
Archiv bereitgestellt durch MHonArc 2.6.24.