Page MenuHomePhabricator

Write release announcements for 1.27.5/1.29.3/1.30.1/1.31.1 security releases
Closed, ResolvedPublic

Description

Previous T180268

I would like to announce the release of MediaWiki 1.31.1, 1.30.1, 1.29.3 and 1.27.5!

These releases fix 4 security issues in core and also includes some previously
committed to git minor security and hardening patches. Download links are
given at the end of this email.

Patches will be pushed to Gerrit after this email is sent, and will land into the relevant
branches as fast as our CI infrastructure allows. Git tags will follow soon after. All related
tasks will be made public in Phabricator too in the following few hours.

Please note that July 2018 was the End-Of-Life date for MediaWiki 1.29. This
means that MediaWiki 1.29.3 will be the last security release for that
version, barring any unforeseen issues. We would strongly encourage users of
MediaWiki 1.29 to upgrade to MediaWiki 1.31, released in June 2018, or a yet
newer version as soon as possible. MediaWiki 1.31 will be supported until July
2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more information.

The patch files for this release are larger than normal as we are switching to a new
release script that more aggressively removes dotfiles and other development files.
Extensions missing from previous releases have been re-added, and unnecessary
dependancies in vendor have been removed.

This release also serves as a maintenance release for these branches.

== Security fixes ==
* (T169545, CVE-2018-0503) $wgRateLimits entry for 'user' overrides 'newbie'.
* (T194605, CVE-2018-0505) BotPasswords can bypass CentralAuth's account lock.
  Reported by Rxy.
* (T187638, CVE-2018-0504) When a log event is (partially) hidden
  Special:Redirect/logid can link to the incorrect log and reveal hidden information.
  Reported by JJMC89.
* (T193237) Special:BotPasswords should require reauthenticate. No CVE was
  issued since this is a hardening measure.

The following only affects the 1.31 tarball:
* (T199029, CVE-2018-13258) Tarball was missing .htaccess files.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T169545
* https://phabricator.wikimedia.org/T194605
* https://phabricator.wikimedia.org/T187638
* https://phabricator.wikimedia.org/T193237
* https://phabricator.wikimedia.org/T199029

== Release notes ==

Full release notes for 1.27.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27
https://www.mediawiki.org/wiki/Release_notes/1.27

Full release notes for 1.29.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29
https://www.mediawiki.org/wiki/Release_notes/1.29

Full release notes for 1.30.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30
https://www.mediawiki.org/wiki/Release_notes/1.30

Full release notes for 1.31.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz

Patch to previous version (1.27.4):
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.5.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz

Patch to previous version (1.29.2):
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.3.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz

Patch to previous version (1.30.0):
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz

Patch to previous version (1.31.0):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Event Timeline

Reedy created this task.Jul 7 2018, 4:51 PM
Reedy created this object with visibility "Custom Policy".
Reedy updated the task description. (Show Details)Jul 7 2018, 5:08 PM
Reedy updated the task description. (Show Details)Sep 15 2018, 2:42 AM
Reedy changed Risk Rating from N/A to default.
Reedy updated the task description. (Show Details)Sep 15 2018, 2:45 AM
Legoktm updated the task description. (Show Details)Sep 15 2018, 3:47 AM
Legoktm updated the task description. (Show Details)Sep 15 2018, 3:50 AM
Legoktm updated the task description. (Show Details)Sep 15 2018, 3:55 AM
Legoktm updated the task description. (Show Details)Sep 20 2018, 5:41 PM
Reedy updated the task description. (Show Details)Sep 20 2018, 6:23 PM
Reedy updated the task description. (Show Details)Sep 20 2018, 6:41 PM
Reedy updated the task description. (Show Details)Sep 20 2018, 6:58 PM
Reedy updated the task description. (Show Details)Sep 20 2018, 7:12 PM
Reedy updated the task description. (Show Details)Sep 20 2018, 8:24 PM
Reedy closed this task as Resolved.Sep 20 2018, 9:21 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM