I would like to announce the release of MediaWiki 1.31.1, 1.30.1, 1.29.3 and 1.27.5!
These releases fix 4 security issues in core and also includes some previously
committed to git minor security and hardening patches. Download links are
given at the end of this email.
Patches will be pushed to gerrit after this email is sent, and will land into the relevant
branches as fast as our CI infrastructure allows. Git tags will follow soon after. All related
tasks will be made public in phabricator too in the following few hours.
Please note that July 2018 was the End-Of-Life date for MediaWiki 1.29. This
means that MediaWiki 1.29.3 will be the last security release for that
version, barring any unforeseen issues. We would strongly encourage users of
MediaWiki 1.29 to upgrade to MediaWiki 1.31, released in June 2018, or a yet
newer version as soon as possible. MediaWiki 1.31 will be supported until July
2021. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more information.
This release also serves as a maintenance release for these branches.
== Security fixes ==
* (T169545, CVE-2018-0503) $wgRateLimits entry for 'user' overrides 'newbie'.
* (T194605, CVE-2018-0505) BotPasswords can bypass CentralAuth's account lock.
Reported by Rxy.
* (T187638, CVE-2018-0504) When a log event is (partially) hidden
Special:Redirect/logid can link to the incorrect log and reveal hidden information.
Reported by JJMC89.
* (T193237) Special:BotPasswords should require reauthenticate. No CVE was
issued since this is a hardening measure.
The following only affects the 1.31 tarball:
* (T199029, CVE-2018-13258) Tarball was missing .htaccess files.
== Links to all mentioned tasks ==
== Release notes ==
Full release notes for 1.27.5:
Full release notes for 1.29.3:
Full release notes for 1.30.1:
Full release notes for 1.31.1:
For information about how to upgrade, see