Previous T199022
```
I would like to announce the release of MediaWiki 1.32.2, 1.31.2, 1.30.2
and 1.27.6!
These releases fix 12 security issues in core and also includes some
previously committed to git minor security and hardening patches.
Download links are given at the end of this email.
Patches will be pushed to Gerrit after this email is sent, and will land
into the relevant branches as fast as our CI infrastructure allows.
Git tags will follow soon after. All related tasks will be made public
in Phabricator too in the following few hours.
Please note that December 2018 was the End-Of-Life date for MediaWiki 1.30. This
means that MediaWiki 1.30.2 will be the last security release for that
version, barring any unforeseen issues. We would strongly encourage users of
MediaWiki 1.30 to upgrade to MediaWiki 1.31 (LTS version), released in June 2018,
or a yet newer version as soon as possible. MediaWiki 1.31 will be supported until
July 2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more
information.
This release also serves as a maintenance release for these branches.
== Security fixes ==
* (T197279, CVE-2019-) Directly POSTing to Special:ChangeEmail would allow for
bypassing reauthentication, allowing for potential account takeover.
* (T204729, CVE-2019-) Passing invalid titles to the API could cause a DoS by
querying the entire `watchlist` table.
* (T207603, CVE-2019-) Loading user JavaScript from a non-existent account
allows anyone to create the account, and XSS the users' loading that script.
* (T199540, CVE-2019-) It is possible to bypass the limits on IP range blocks
(`$wgBlockCIDRLimit`) by using the API.
* (T212118, CVE-2019-) Privileged API responses that include whether a recent
change has been patrolled may be cached publicly
* (T209794, CVE-2019-) A spammer can use Special:ChangeEmail to send out spam
with no rate limiting or ability to block them.
* (T25227, CVE-2019-) An account can be logged out without using a token (CSRF)
* (T222036, CVE-2019-) Exposed suppressed username or log in Special:EditTags
* (T222038, CVE-2019-) Exposed suppressed log in RevisionDelete page
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T197279
* https://phabricator.wikimedia.org/T204729
* https://phabricator.wikimedia.org/T207603
* https://phabricator.wikimedia.org/T208881
* https://phabricator.wikimedia.org/T199540
* https://phabricator.wikimedia.org/T212118
* https://phabricator.wikimedia.org/T209794
* https://phabricator.wikimedia.org/T222036
* https://phabricator.wikimedia.org/T222038
* https://phabricator.wikimedia.org/T221739
* https://phabricator.wikimedia.org/T25227
== Release notes ==
Full release notes for 1.27.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27
https://www.mediawiki.org/wiki/Release_notes/1.27
Full release notes for 1.30.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30
https://www.mediawiki.org/wiki/Release_notes/1.30
Full release notes for 1.31.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31
Full release notes for 1.32.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.32
https://www.mediawiki.org/wiki/Release_notes/1.32
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz
Patch to previous version (1.27.5):
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.6.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz
Patch to previous version (1.30.1):
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz
Patch to previous version (1.31.1):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz
Patch to previous version (1.32.1):
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz
Patch to previous version (1.33.1):
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
```