==================================================================== CERT-Renater Note d'Information No. 2020/VULN699 _____________________________________________________________________ DATE : 18/12/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MediaWiki versions prior to 1.31.12, 1.35.1. ===================================================================== https://lists.wikimedia.org/pipermail/mediawiki-l/2020-December/048611.html https://lists.wikimedia.org/pipermail/mediawiki-l/2020-December/048613.html _____________________________________________________________________ I would like to announce the release of MediaWiki 1.31.11 and 1.35.1! These releases also serve as a maintenance release for these branches. Numerous fixes have been backported into 1.35, including some for PHP 8.0 support (though we are not declaring full PHP 8.0 support yet). T268894 doesn't apply to MediaWiki 1.31, as the code was added in 1.35. Also, only one of the two fixes of T268938 apply to MediaWiki 1.31, as the code was not added until MediaWiki 1.33. While tarballs have already been uploaded, git tags will follow later on today. An "MediaWiki Extensions Security Release Supplement" email will follow this one. == Security fixes == * (T268894, CVE-2020-35474) SECURITY: Message recentchanges-legend-watchlistexpiry can contain raw html. * (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current and userrights-expiry-none can contain raw html. * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html. * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T268894 * https://phabricator.wikimedia.org/T268917 * https://phabricator.wikimedia.org/T268938 * https://phabricator.wikimedia.org/T205908 * https://phabricator.wikimedia.org/T120883 == Release notes == Full release notes for 1.31.11: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 https://www.mediawiki.org/wiki/Release_notes/1.31 Full release notes for 1.35.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35 https://www.mediawiki.org/wiki/Release_notes/1.35 For information about how to upgrade, see ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz Patch to previous version (1.31.10): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz Patch to previous version (1.35.0): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html _____________________________________________________________________ The 1.31.12 version fixes the issue with the backports in the 1.31.11 release. The patches linked here need applying on top of the previous patches for 1.31.11. See the previous email for those patches. The full downloads here contain all the previous fixes from the security and maintenance release. Once again, I apologise for the inconvenience of the issues with the previous release. ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.12.tar.gz Patch to previous version (1.31.11): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================