Context Navigation

← Previous Ticket
Next Ticket →

Ticket #892 (new maintenance)

Last modified 11 months ago

MediWiki Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12

Reported by:	chris	Owned by:	chris
Priority:	minor	Milestone:	Maintenance
Component:	Mediawiki	Keywords:
Cc:	ade	Estimated Number of Hours:	0.0
Add Hours to Ticket:	0	Billable?:	yes
Total Hours:	0

Description

Email to the announcements list:

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5,                                                                                    
and                                                                                                                                                          
1.23.12.                                                                                                                                                     
                                                    
These releases fix five security issues in core, in addition to other bug                                                                                    
fixes. Download links are given at the end of this email                                                                                                     
                                                                                                                                                             
== Security fixes ==       
                                                                                                                                                             
(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths                                                                                    
that                                                                                                                                                         
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A                                                                                   
value such as "$1" or "wiki/$1" is not and will now throw an error                                                                                           
                                                                                                                                                             
(T119309) SECURITY: Use hash_compare() for edit token comparison 
                                                                                                                                                             
(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting                                                                                   
with                                                                                                                                                         
'@' as file uploads                                                       
                                                                                                                                                             
(T115522) SECURITY: Passwords generated by User::randomPassword() can no                                                                                     
longer                                                                                                                                                       
be shorter than $wgMinimalPasswordLength                                                                                                                     
                                                                                                                                                             
(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could                                                                                  
result in improper blocks being issued       
                                                                                                                                                             
(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions                                                                                  
and                                                                                                                                                          
related pages no longer use HTTP redirects and are now redirected by                                                                                         
MediaWiki                                                                                                                                                    
                                                                                                                                                             
== Note about EOL of 1.24.x ==                                                                                                                               
                                                                                                                                                             
Please note that 1.24.5 marks the end of support for the 1.24.x series of                                                                                    
releases. Technically this ended a few weeks ago with the release of 1.26.0                                                                                  
but                                                                                                                                                          
we dropped one final release of 1.24.x here to give it a nicer send off for                                                                                  
those who have not yet upgraded.                                                                                                                             
                                                                                                                                                             
== Release notes ==                                                                                                                                          
                                                                                                                                                             
Full release notes for 1.26.1:                                                                                                                               
<https://www.mediawiki.org/wiki/Release_notes/1.26>                                                                                                          
                                                                                                                                                             
Full release notes for 1.25.4:                                                                                                                               
<https://www.mediawiki.org/wiki/Release_notes/1.25>                                                                                                          
                                                                                                                                                             
Full release notes for 1.24.5:                                                                                                                               
<https://www.mediawiki.org/wiki/Release_notes/1.24>                                                                                                          
                                                                                                                                                             
Full release notes for 1.23.12:                                                                                                                              
<https://www.mediawiki.org/wiki/Release_notes/1.23>                                                                                                          
                                                                                                                                                             
For information about how to upgrade, see                                                                                                                    
<https://www.mediawiki.org/wiki/Manual:Upgrading>

Change History

comment:1 Changed 11 months ago by chris

And a follow up email:

We would like to announce the release of MediaWiki 1.26.2, 1.25.5, 1.24.6,
and 1.23.13.

These are maintenance releases to fix regressions introduced in the
previous release.

Download links are given at the end of this email.

== Maintenance fixes ==
(T121892) Various special pages resulted in fatal errors.

== Note about EOL of 1.24.x ==

Please note that 1.24.6 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0.

However, 1.24.5 had issues (along with other versions), so it was thought
fair
to fix them.

== Release notes ==

Full release notes for 1.26.2:
<https://www.mediawiki.org/wiki/Release_notes/1.26>

Full release notes for 1.25.5:
<https://www.mediawiki.org/wiki/Release_notes/1.25>

Full release notes for 1.24.6:
<https://www.mediawiki.org/wiki/Release_notes/1.24>

Full release notes for 1.23.13:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
   1.26.2
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.2.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-i18n-1.26.2.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.25.5
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.5.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.24.6
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.6.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.6.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.6.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.6.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.6.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
   1.23.12
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz

Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.12.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Note: See TracTickets for help on using tickets.

Download in other formats: