Page MenuHomePhabricator

Write and send release announcements for MediaWiki 1.35.5/1.36.3/1.37.1
Closed, ResolvedPublic

Description

Previous work: T285408: Write and send release announcements for MediaWiki 1.31.16/1.35.4/1.36.2

I would like to announce the release of MediaWiki 1.35.5, 1.36.3 and 1.37.1!

This release fixes multiple high severity authorization bypasses in MediaWiki core that both allow for reading private wikis and editing arbitrary pages on any wiki.

If you do not have time to upgrade right away, please set the following at the bottom of your LocalSettings.php to disable the vulnerable code immediately:

  $wgActions['mcrundo'] = false;
  $wgActions['mcrrestore'] = false;
  $wgWhitelistRead = [];
  $wgWhitelistReadRegexp = [];

This will also work for vulnerable end-of-life MediaWiki versions that do not have a patch available.

A more detailed FAQ about these issues is available at https://www.mediawiki.org/wiki/2021-12_security_release/FAQ

These releases also serve as a maintenance release for these branches.

Note that the patches are much larger than recent previous security and maintenance releases. This is due to the re-introduction of translation backports. These include the export of new languages that have met the translation threshold in the development branch of MediaWiki. These translation updates are for both MediaWiki core and the bundled skins and extensions. In the case of MediaWiki 1.35, this is translation updates going back 18 months, hence the size of the patch.

While tarballs have already been uploaded as of this e-mail, git tags will follow later on today.

An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.

== Security fixes ==
* (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.
* (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.
* (T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.
* (T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.
* (T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

=== Extension security fixes ===
* (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.
* (T294686) Special:Nuke doesn't actually delete pages.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T294686
* https://phabricator.wikimedia.org/T297322
* https://phabricator.wikimedia.org/T293589
* https://phabricator.wikimedia.org/T292763
* https://phabricator.wikimedia.org/T271037

== Release notes ==

Full release notes for 1.35.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.36.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_36/RELEASE-NOTES-1.36
https://www.mediawiki.org/wiki/Release_notes/1.36

Full release notes for 1.37.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-1.37
https://www.mediawiki.org/wiki/Release_notes/1.37

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip

Patch to previous version (1.36.2):
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-core-1.36.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.3.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip

Patch to previous version (1.37.0):
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip

Patch to previous version (1.35.4):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Details

Due Date
Dec 15 2021, 11:30 PM

Event Timeline

Reedy renamed this task from Write and send release announcements for MediaWiki 1.31.16/1.35.4/1.36.2 to Write and send release announcements for MediaWiki 1.35.5/1.36.3.Sep 30 2021, 6:45 PM
Reedy renamed this task from Write and send release announcements for MediaWiki 1.35.5/1.36.3 to Write and send release announcements for MediaWiki 1.35.5/1.36.3/1.37.1.Nov 24 2021, 5:19 PM
Reedy set Due Date to Dec 15 2021, 11:30 PM.
Reedy updated the task description. (Show Details)
Reedy changed the task status from Open to In Progress.Dec 10 2021, 7:47 PM
Reedy triaged this task as Medium priority.

I'm going to split the FAQ draft into a separate ticket so I can add the original reporter to it.

Legoktm updated the task description. (Show Details)
Reedy claimed this task.
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".
Reedy changed the edit policy from "acl*security (Project)" to "All Users".