====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN541
_____________________________________________________________________

DATE                : 25/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.35.0,
                                   1.31.10, 1.34.4.

=====================================================================
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000263.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000260.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-September/000262.html
_____________________________________________________________________

I am happy to announce the belated availability of the general release
of MediaWiki 1.35!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks
to those who tested out the release candidates and provided feedback,
as well as the developers who worked hard to get several important fixes
merged in time for the 1.35 final release. To see what's changed in
1.35, see the release notes below.

Please note that the PHP version requirement has been raised from 7.2.9
in MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.

MediaWiki 1.35 is an LTS and is due to be supported until the end of
September 2023.

As a reminder, 1.31 is due to become end of life in June 2021. 1.34 is
due to become end of life in November 2020.

As per the pre-release announcement, 1.35.0 also includes some security
fixes that weren't in the release candidates, which came out yesterday
for the ther supported MediaWiki branches.

Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer
need a separate Node.js service. The documentation for this still may
still require some updates. Please report any bugs [2] if this affects
you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't
work using SQLite as the database backend for MediaWiki. This is due to
the lack of write concurrency in SQLite. If you wish to use this
feature, it is recommended to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently
still experimental. It should become stable in a later point release.
Please report any issues/bugs [3].

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer
lacks `hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML
within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs
and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki
is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in
ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when
clicking <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to
ResourceLoader hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML
within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs
and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki
is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

Open Bugs:
[1] https://phabricator.wikimedia.org/project/board/4035/

Bug report form:
[2]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release

[3]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.35-Release+expiring-watchlist-items

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz

Patch to previous version (1.35.0-rc.3):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.0.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Release Notes
https://www.mediawiki.org/wiki/Release_notes/1.35

_____________________________________________________________________


I would like to announce the release of MediaWiki 1.34.3, and 1.31.9!

These releases also serve as a maintenance release for these branches.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

As mentioned in the pre-release announcement, this will potentially be
the final release of the MediaWiki 1.34 branch, barring any unforeseen
issues.
For continued support in the future, you are advised to upgrade to
MediaWiki 1.35 in the near future.

The release announcement for MediaWiki 1.35 will follow this one before
the end of day tomorrow. MediaWiki 1.35 will be supported until
September 2023.

== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer
lacks `hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML
within LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs
and 'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the
correct database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki
is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T232568
* https://phabricator.wikimedia.org/T255918
* https://phabricator.wikimedia.org/T256171
* https://phabricator.wikimedia.org/T258763
* https://phabricator.wikimedia.org/T86738
* https://phabricator.wikimedia.org/T115888
* https://phabricator.wikimedia.org/T260485
* https://phabricator.wikimedia.org/T251661

== Release notes ==

Full release notes for 1.31.9:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.34.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
https://www.mediawiki.org/wiki/Release_notes/1.34

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz

Patch to previous version (1.31.8):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz

Patch to previous version (1.34.2):
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html


________________________________________________________________


The 1.31.10 and 1.34.4 versions fix the issue with the backports in the
1.31.9 and the 1.34.3 releases.

The patches linked here need applying on top of the previous patches for
1.31.9 and 1.34.3. See the previous email for those patches. The full
downloads here contain all the previous fixes from the security and
maintenance release.

1.35.0 will still be released tomorrow.

Once again, I apologise for the inconvenience of the issues with the
previous release.

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.10.tar.gz

Patch to previous version (1.31.9):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.10.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.10.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.4.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.4.tar.gz

Patch to previous version (1.34.3):
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================