==================================================================== CERT-Renater Note d'Information No. 2019/VULN428 _____________________________________________________________________ DATE : 20/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.33.2, 1.32.6, 1.31.6. ===================================================================== https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-December/000243.html _____________________________________________________________________ I would like to announce the release of MediaWiki 1.33.2, 1.32.6 and 1.31.6! These releases also serve as a maintenance release for these branches. While tarballs have already been uploaded, git tags will follow later on today. As a reminder, 1.32.6 will also be the final release for 1.32 (barring any unforeseen issues), which is scheduled to become end of life in January 2020 [1]. If you're using 1.32, it is recommended that you upgrade to the latest point release of the 1.33 branch (1.33.2, to be released tomorrow) or 1.34.0 to carry on using a maintained and supported release. An "MediaWiki Extensions Security Release Supplement" email will follow this one. == Security fixes == * (T192134) Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset. * (T212067) wfParseUrl() incorrectly parses hostnames in older PHP and HHVM versions due to bug in parse_url(). This is only potentially an issue on MW < 1.34 where it supports PHP version (see PHP bug 73192) 7.0.0–7.0.12, or HHVM less than 3.18.6. * (T239466) Possible to circumvent title-blacklist (CVE-2019-19709). == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T212067 * https://phabricator.wikimedia.org/T239466 * https://phabricator.wikimedia.org/T192134 * https://bugs.php.net/bug.php?id=73192 == Release notes == Full release notes for 1.31.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 https://www.mediawiki.org/wiki/Release_notes/1.31 Full release notes for 1.32.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_32/RELEASE-NOTES-1.32 https://www.mediawiki.org/wiki/Release_notes/1.32 Full release notes for 1.33.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_33/RELEASE-NOTES-1.33 https://www.mediawiki.org/wiki/Release_notes/1.33 For information about how to upgrade, see ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.6.tar.gz Patch to previous version (1.31.5): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.6.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.6.tar.gz Patch to previous version (1.32.5): https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.6.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz Patch to previous version (1.33.1): https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.2.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================