Page MenuHomePhabricator
Create Task
Maniphest T256380

Write and send release announcements for MediaWiki 1.35.0
Closed, ResolvedPublic
Actions

Description

See {T241006} for last time.

I am happy to announce the belated availability of the general release of MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidates and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.35 final release. To see what's changed in 1.35, see the release notes below.

Please note that the PHP version requirement has been raised from 7.2.9 in MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is due to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security fixes that weren't in the release candidates, which came out yesterday for the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer need a separate Node.js service. The documentation for this still may still require some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work using SQLite as the database backend for MediaWiki. This is due to the lack of write concurrency in SQLite. If you wish to use this feature, it is recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still experimental. It should become stable in a later point release. Please report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReedyT256375 Release MW 1.35.0
 ResolvedReedyT256380 Write and send release announcements for MediaWiki 1.35.0

Event Timeline

Jdforrester-WMF renamed this task from Release MW 1.35.0-rc.0 to Write and send release announcements for MediaWiki 1.35.0.Jun 25 2020, 3:28 PM
Jdforrester-WMF created this task.
Jdforrester-WMF updated the task description. (Show Details)
DannyS712 subscribed.Jun 25 2020, 3:29 PM
eprodromou claimed this task.Jun 30 2020, 8:26 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou added subscribers: CCicalese_WMF, eprodromou.

As PM for PET, I'll take on the task for doing this. @CCicalese_WMF can you help me out with this?

CCicalese_WMF added a comment.Jun 30 2020, 8:30 PM

👍

eprodromou removed a project: Platform Team Workboards (Clinic Duty Team).Jul 7 2020, 8:54 PM
Reedy moved this task from Blocker to Meta on the MW-1.35-release board.Jul 29 2020, 12:18 AM
Universal_Omega subscribed.Aug 28 2020, 3:53 PM
Jontheil subscribed.Sep 24 2020, 5:03 PM
Reedy claimed this task.Sep 25 2020, 2:10 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy triaged this task as Medium priority.Sep 25 2020, 2:15 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Sep 25 2020, 2:35 PM
Jdforrester-WMF awarded a token.Sep 25 2020, 2:41 PM
Reedy closed this task as Resolved.Sep 25 2020, 4:19 PM
Reedy updated the task description. (Show Details)

https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000263.html

Reedy mentioned this in T283887: Write and send release announcement for 1.36.0.May 27 2021, 10:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL