Transition Technology: Ticket Query

#841: Mediawiki 1.23.9

chris — Wed, 01 Apr 2015 20:26:50 GMT

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email.

Security fixes

iSEC Partners discovered a way to circumvent the SVG MIME blacklist for embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed JavaScript in the SVG. The issue was additionally identified by Mario Heiderich / Cure53. MIME types are now whitelisted. https://phabricator.wikimedia.org/T85850
MediaWiki user Bawolff pointed out that the SVG filter to prevent injecting JavaScript using animate elements was incorrect. https://phabricator.wikimedia.org/T86711
MediaWiki user Bawolff reported a stored XSS vulnerability due to the way attributes were expanded in MediaWiki's Html class, in combination with LanguageConverter substitutions. https://phabricator.wikimedia.org/T73394
Internal review discovered that MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. This issue was also discovered by Mario Gomes from Beyond Security. https://phabricator.wikimedia.org/T88310
iSEC Partners discovered a XSS vulnerability in the way api errors were reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now detects and mitigates this issue on older versions of HHVM. https://phabricator.wikimedia.org/T85851
Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords. https://phabricator.wikimedia.org/T64685
iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running under HHVM, was susceptible to "Billion Laughs" DoS attacks (iSEC-WMF1214-13). https://phabricator.wikimedia.org/T85848
Internal review found that MediaWiki is vulnerable to "Quadratic Blowup" DoS attacks, under both HHVM and Zend PHP. https://phabricator.wikimedia.org/T71210
iSEC Partners discovered a way to bypass the style filtering for SVG files (iSEC-WMF1214-3). This could violate the anonymity of users viewing the SVG. https://phabricator.wikimedia.org/T85349
iSEC Partners reported that the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation (iSEC-WMF1214-10). This feature has been removed. https://phabricator.wikimedia.org/T85855
Additionally, the following extensions have been updated to fix security issues:

Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS. https://phabricator.wikimedia.org/T85113
Extension:!CheckUser - iSEC Partners discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users (iSEC-WMF1214-6). Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. https://phabricator.wikimedia.org/T85858
Bug fixes

1.24

Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
1.23 & 1.24

(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Full release notes:

https://www.mediawiki.org/wiki/Release_notes/1.24
https://www.mediawiki.org/wiki/Release_notes/1.23
https://www.mediawiki.org/wiki/Release_notes/1.19
Download:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz
Patch to previous version:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz
GPG signatures:

http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.24/mediawiki-1.24.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.9.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.24.patch.gz.sig
Extensions:

http://www.mediawiki.org/wiki/Extension:Scribunto
http://www.mediawiki.org/wiki/Extension:CheckUser
Public keys:

https://www.mediawiki.org/keys/keys.html

#816: MediaWiki 1.23.8

chris — Thu, 18 Dec 2014 11:20:43 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.

Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23

(bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
(bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
Bugfixes

(bug T74222) The original patch for T74222 was reverted as unnecessary.
Fixed a couple of entries in RELEASE-NOTES-1.24.
(bug T76168) OutputPage: Add accessors for some protected properties.
(bug T74834) Make 1.24 branch directly installable under PostgreSQL.
Add missing $ in front of variable in OutputPage.php
Security fixes in extensions

(bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
(bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
(bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
(bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
(bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
(bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.
Full release notes for 1.23.8: https://www.mediawiki.org/wiki/Release_notes/1.23

#813: MediaWiki 1.23.7

chris — Thu, 27 Nov 2014 14:38:47 GMT

The announcement email:

I would like to announce the release of MediaWiki 1.23.7, 1.22.14 and 1.19.22. This is a regular security and maintenance release. Download links are given at the end of this email.

Security fixes

(bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy. https://phabricator.wikimedia.org/T68776 https://phabricator.wikimedia.org/T73478
(bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model. https://phabricator.wikimedia.org/T72901
(bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario. https://phabricator.wikimedia.org/T73111
(bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff. https://phabricator.wikimedia.org/T74222
Bugfixes

(bug 71621) Make allowing site-wide styles on restricted special pages a config option. https://phabricator.wikimedia.org/T73621
(bug 42723) Added updated version history from 1.19.2 to 1.22.13 https://phabricator.wikimedia.org/T44723
$wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.
Full release notes for 1.23.7: https://www.mediawiki.org/wiki/Release_notes/1.23

#799: MediaWiki Visual Editor broken from Parsoid update

chris — Tue, 21 Oct 2014 10:21:54 GMT

After updating Parasoid on ticket:692#comment:102 the MediaWiki visual editor now generates this error:

Error loading data from server: parsoidserver-http-bad-status: 500. Would you like to retry?

#793: MediaWiki Security and Maintenance Release 1.23.5

chris — Thu, 02 Oct 2014 08:57:49 GMT

Announcement email:

I would like to announce the release of MediaWiki 1.19.20, 1.22.12 and 1.23.5. This is a security release. Download links are given at the end of this email.

Security

(bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
Full release notes for 1.23.5: <https://www.mediawiki.org/wiki/Release_notes/1.23>

#781: MediaWiki Security and Maintenance Releases: 1.22.10 and 1.23.3

chris — Thu, 28 Aug 2014 06:42:16 GMT

Announcement email:

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-August/000159.html

Bugfixes only, not a security update so no urgent update required.

#766: MediaWiki Security and Maintenance Update 1.23.2

chris — Wed, 30 Jul 2014 20:56:46 GMT

From the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.23.2, 1.22.9 and 1.19.18. This is a regular security and maintenance release. Download links are given at the end of this email.

Security

(bug 68187) SECURITY: Prepend jsonp callback with comment.
(bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
(bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
Bugfixes in 1.23.2

(bug 68313) Preferences: Turn stubthreshold back into a combo box.
(bug 65214) Fix initSiteStats.php maintenance script.
(bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
Full release notes for 1.23.2: https://www.mediawiki.org/wiki/Release_notes/1.23

Public keys: <https://www.mediawiki.org/keys/keys.html>

1.23.2

Download: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz

Patch to previous version (1.23.1): https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz

GPG signatures: https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.2.patch.gz.sig

Note: There is no i18n patch as there are no changes in translation.

#753: wiki.transitionnetwork.org displaying error

chris — Fri, 04 Jul 2014 08:23:52 GMT

This is rather weird, the site was working yesterday, now at https://wiki.transitionnetwork.org/ we have:

bar(), etc etc) which throw parse errors in # PHP 4. Setup.php and ObjectCache.php have structures invalid in PHP 5.0 and # 5.1, respectively. if ( !function_exists( 'version_compare' ) || version_compare( phpversion(), '5.3.2' ) < 0 ) { // We need to use dirname( __FILE__ ) here cause __DIR__ is PHP5.3+ require dirname( __FILE__ ) . '/includes/PHPVersionError.php'; wfPHPVersionError( 'index.php' ); } require __DIR__ . '/includes/WebStart.php'; $mediaWiki = new MediaWiki(); $mediaWiki->run();

#736: Upgrade to MediaWiki 1.23.0

chris — Thu, 05 Jun 2014 09:43:50 GMT

From the announcements list:

I am happy to announce the availability of the first stable release of the new MediaWiki 1.23 release series.

MediaWiki 1.23 is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users. You can consult the RELEASE-NOTES-1.23 file for the full list of changes in this version.

This is a Long Term Support release (LTS) and will be supported until May 2017.

Our thanks to everyone who helped to improve MediaWiki by testing the release candidates and submitting bug reports.

What's new?

MediaWiki 1.23 includes all changes released in the smaller 1.23wmfX software deployments to Wikimedia sites.
Skin autodiscovery deprecated

Skin autodiscovery, the legacy skin installation mechanism used by MediaWiki since very early versions (around 2004), has been officially deprecated and will be removed in MediaWiki 1.25.

MediaWiki 1.23 will emit warnings in production if a skin using the deprecated mechanism is found.
See Manual:Skin autodiscovery for more information and a migration guide for site admins and skin developers.
Notifications

With 1.23, MediaWiki starts to behave more like a modern website as regards notifications, to keep the editors of your wiki engaged and always up to date about what interests them. This used to require several custom settings.

(bug 45020) Make preferences "Add pages I create and files I upload to my watchlist" and "pages and files I edit" true by default.
(bug 45022) Make preference "Email me when a page or file on my watchlist is changed" true by default.
(bug 49719) Watch user page and user talk page by default.
This will allow your new users to immediately start benefiting from the watchlist and email notification features, without needing to first read all the docs to find out that they're as useful as they are.

Merged extensions

Merged into 1.23:

ExpandTemplates (bug 28264).
AssertEdit (bug 27841) - documented at API:Assert.
Interface

(bug 42026) Add option to only show page creations in Special:Contributions (and API).
Add new special page to list duplicate files, Special:ListDuplicatedFiles.
(bug 60333) Add new special page listing tracking categories (Special:TrackingCategories).
Editing

A new special page Special:Diff was added, allowing users to create internal links to revision comparison pages using syntax such as Special:Diff/12345, Special:Diff/12345/prev or Special:Diff/12345/98765.
Help pages

With 1.23, MediaWiki begins a process of consolidation of its help pages. Now, most are using the Translate extension and can be easily translated and updated in hundreds languages.

In the coming months, we'll focus on making more of the central help pages translatable and on linking them from the relevant MediaWiki interfaces for better discoverability. Please help: add your own translations; update existing pages and cover missing MediaWiki topics.

Traditionally, help pages have been scattered on countless wikis and poorly translated; most of those on mediawiki.org were migrated with the help of some Google Code-in students.

CSS refresh for Vector

Various Vector CSS properties have been converted to LESS variables.
The font size of #bodyContent/.mw-body-content has been increased to 0.875em.
The line-height of #bodyContent/.mw-body-content has been increased to 1.6.
The line-height of superscript (sup) and subscript (sub) are now set to 1.
The default color for content text (but not the headers) is now #252525; (dark grey).
All headers have updated sizes and margins.
H1 and H2 headers now use a serif font.
Body font is "sans-serif" as always.
For more information see Typography refresh.

Configuration

Add Config and GlobalConfig classes:

Allows configuration options to be fetched from context.
Only one implementation, GlobalConfig, is provided, which simply returns $GLOBALS[$name]. There can be more classes in the future, possibly a database-based one. For convinience the "wg" prefix is automatically added.
This adds the $wgConfigClass global variable which is used to determine which implementation of Config to use by default.
The ContextSource getConfig and setConfig methods were introduced.
Full release notes: https://git.wikimedia.org/blob/mediawiki%2Fcore.git/1.23.0/RELEASE-NOTES-1.23 https://www.mediawiki.org/wiki/Release_notes/1.23

Download: http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.0.tar.gz

GPG signatures: http://download.wikimedia.org/mediawiki/1.23/mediawiki-1.23.0.tar.gz.sig

Public keys: https://www.mediawiki.org/keys/keys.html

I'd suggest we upgrade to this version and then perhaps stick with it, only doing security updates, until we need to move to another version due to it no longer being supported or because we need some new functionality.

#733: Mediawiki 1.22.7 security update

chris — Sun, 01 Jun 2014 09:20:53 GMT

See https://www.mediawiki.org/wiki/Release_notes/1.22#MediaWiki_1.22.6

#723: Mediawiki 1.22.6 Upgrade

chris — Mon, 28 Apr 2014 10:10:48 GMT

Announced a few days ago:

I would like to announce the release of MediaWiki 1.22.6 and 1.21.9. This is a regular security and maintenance release. Download links are given at the end of this email. Please note there is no new release of the 1.19 branch, as it is not affected by the security issue.

Security

(bug 63251) SECURITY: escape sortKey in pageInfo.
Bugfixes in 1.21.9

(bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
Full release notes for 1.22.6: https://www.mediawiki.org/wiki/Release_notes/1.22

#706: Upgrade Mediawiki to 1.22.5 and install the new VisualEditor

chris — Wed, 26 Mar 2014 15:46:03 GMT

From MediaWiki-announce:

this is a notice that on Thursday, March 27th between 17:00-18:00 UTC (Thursday, March 27th, 9:00-10:00am PST) we will release security and maintenance updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time.

#700: Mediawiki 1.19.13

chris — Wed, 12 Mar 2014 11:06:44 GMT

From the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.4, 1.21.7 and 1.19.13. Other than the security fix included in 1.19.13, these releases simply fix the bundled version of the tarball. Download links are given at the end of this email.

Security fix backported to 1.19

(bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
Fixes made in all tarballs

The correct branch of each extensions git repository (e.g. REL1_19 for 1.19.13) was used.

#694: Mediawiki 1.19.12 upgrade

chris — Fri, 28 Feb 2014 09:03:20 GMT

On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.3, 1.21.6 and 1.19.12. These releases fix a number of security related bugs that could affect users of MediaWiki. In addition, MediaWiki 1.22.3 is a maintenance release. It fixes several bugs. You can consult the RELEASE-NOTES-1.22 file for the full list of changes in this version. Download links are given at the end of this email.

Security fixes

(bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
(bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
(bug 61362) SECURITY: API: Don't find links in the middle of api.php links.

#686: MediaWiki 1.19.11 Update

chris — Wed, 29 Jan 2014 09:53:13 GMT

On the MediaWiki-announce list:

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11.

Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandlerxtension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately.

Affected supported versions: All

Security fixes

Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way. (CVE-2014-1610) https://bugzilla.wikimedia.org/show_bug.cgi?id=60339
Bug Fixes in 1.22.2

(bug 58253) Check for very old PCRE versions in installer and updater
(bug 60054) Make WikiPage::$mPreparedEdit public
Full release notes for 1.19.9:

https://www.mediawiki.org/wiki/Release_notes/1.19

#669: Mediawiki upgrade to 1.19.10

chris — Sat, 11 Jan 2014 09:00:24 GMT

Email from Mediawiki:

This is a notice that on Tuesday, January 14th between 00:00-01:00 UTC (*Monday* January 13th, 4-5pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software, as well as several extensions. Downloads and patches will be available at that time.

#620: Upgrade MediaWiki to 1.19.9

chris — Fri, 15 Nov 2013 14:57:58 GMT

See the announcement email:

I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and
1.19.9. These releases fix 2 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>
* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>
Additionally, the following extensions have been updated to fix security
issues:
* CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's
are not correctly hidden when this extension is used (CVE-2013-4569).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54294>
* ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability
(CVE-2013-4573).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55991>
* CentralAuth: MediaWiki developer Platonides reported a login CSRF in
CentralAuth (CVE-2012-5394).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40747>
Full release notes for 1.21.3:
<https://www.mediawiki.org/wiki/Release_notes/1.21>
Full release notes for 1.20.8:
<https://www.mediawiki.org/wiki/Release_notes/1.20>
Full release notes for 1.19.9:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

The steps followed for the last upgrade can be followed again, see ticket:595 and see also the documentation at wiki:PenguinServer#wiki.transitionnetwork.org

#595: Upgrade Mediawiki to 1.19.8 from 1.19.7

chris — Wed, 11 Sep 2013 22:18:05 GMT

From https://git.wikimedia.org/blob/mediawiki%2Fcore.git/REL1_19/RELEASE-NOTES-1.19

MediaWiki 1.19.8

This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.7

SECURITY: Sanitize ResourceLoader exception messages
SECURITY: Token-getting functions will fail when using jsonp callbacks.
SECURITY: Fix extension detection with 2 .'s
Allow a string other than '*' as condition for DatabaseBase::delete()
Purge upstream caches when deleting file assets.
jquery.tablesorter: Add missing dependency on jquery.mwExtension

#551: Mediawiki 1.19.7 upgrade

chris — Tue, 21 May 2013 08:25:51 GMT

From MediaWiki-announce:

This is a notice that on Tuesday, May 21st between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon. Although MediaWiki does not have the vulnerable feature enabled by default, most wiki using common advanced features will want to patch for this issue.

#536: Upgrade Mediawiki to 1.19.6

chris — Mon, 29 Apr 2013 20:35:32 GMT

A new version of Mediawiki is due out tomorrow:

This is a notice that on Tuesday, April 30th between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000128.html

The upgrade should simply be a matter of following the steps taken last time, see ticket:532#comment:2

#532: Upgrade to Mediawiki 1.19.5

chris — Mon, 15 Apr 2013 13:40:34 GMT

New version out tonight:

This is a notice that on Monday, April 15th between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon. CVSS scores are between 4.3 and 7.1, most users will want to update.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000126.html