Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.14 / 1.39.6 / 1.40.2

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.14 / 1.39.6 / 1.40.2


Chronologisch Thread  
  • From: Sam Reed <reedy AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>
  • Subject: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.14 / 1.39.6 / 1.40.2
  • Date: Thu, 21 Dec 2023 18:00:19 +0000
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/TDBUBCCOQJUT4SCHJNPHKQNPBUUETY52/>
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

I would like to announce the release of MediaWiki 1.35.14, 1.39.6 and
1.40.2!

These releases also serve as a maintenance release for these branches.

The tarballs have already been uploaded as of this email, and the git tags
have been pushed.

The fix was included in 1.41.0-rc.0, and therefore will be in 1.41.0, which
is expected to follow this announcement.

Unfortunately at the time of finalising this release, the CVE has not been
assigned a tracking number by MITRE. To get these releases out as detailed
in the pre-release announcement, they are therefore documented as
"CVE-2023-PENDING" here and in the commit messages of the commits that will
be pushed. The related tasks will be updated in retrospect when the CVEs
are issued, and we will also amend the RELEASE-NOTES files. They will then
be retrospectively correctly documented in the next releases, and in
HISTORY in the master branch of MediaWiki core.

The fix for T347726 was actually merged in public, independent of the
security bug report.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.

Various patches aimed at PHP 8.0, 8.1, 8.2 and 8.3 support have been
back-ported.

Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly
welcome, and fixes will be back-ported when possible. Please see
https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/ and
https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant
work boards.

As a reminder, when 1.35 was released, it was originally due to become end
of life (EOL) at the end of September 2023. Due to 1.39 being released late
(November 2022), and to honor the commitment to the 1 year overlap of
MediaWiki LTS releases, this formal EOL process is being delayed till at
least the end of November 2023.

It is therefore expected that this 1.35.14 will become the final release
for the 1.35 branch, and 1.35 will formally become end of life after this
email.

It is strongly recommended to upgrade to either 1.39 (the next LTS after
1.35), which will be supported until November 2025, 1.40, which will be
supported until June 2024, or 1.41, which will be supported until December
2024.

== Security fixes ==

* (T347726, CVE-2023-PENDING) SECURITY: group-.*-member messages are not
properly escaped on Special:log/rights.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T347726

== Release notes ==

Full release notes for 1.35.14:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.39.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.40.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_40/RELEASE-NOTES-1.40
https://www.mediawiki.org/wiki/Release_notes/1.40

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.14.zip

Patch to previous version (1.35.13):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.14.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.6.zip

Patch to previous version (1.39.5):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.6.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.2.zip

Patch to previous version (1.40.1):
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.35.14 / 1.39.6 / 1.40.2, Sam Reed, 21.12.2023

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang