====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN208
_____________________________________________________________________

DATE                : 12/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MediaWiki versions prior to
                           1.31.13, 1.35.2, 1.31.14.

=====================================================================
https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000272.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2021-April/000273.html
_____________________________________________________________________

I would like to announce the release of MediaWiki 1.31.13 and 1.35.2!

These releases also serve as a maintenance release for these branches.
Numerous fixes have been backported into 1.35, including some for PHP
8.0 support (though we are not declaring full PHP 8.0 support yet).

This is the first MediaWiki release where zip files are included too.
This is due to some issues with the tarballs for some users with certain
extraction applications.

Composer 2.0 is also now supported on MediaWiki 1.35.2.

MediaWiki also has a new logo as of these releases.

T270453 does not apply to MediaWiki 1.31.13, as VisualEditor is not
bundled. However the patch will be backported to the 1.31 branch if you
use VisualEditor, and you should pick up the update from the usual
places.

T279451 also does not apply to MediaWiki 1.31.13, as Parsoid is not
bundled. If you use the node.js service, it is recommended to update this.

T276843 has been fixed in different ways on MediaWiki 1.31.13 and
MediaWiki 1.35.2. On the former, we have just disabled the known
vulnerable lexers.
On 1.35.2, we have upgraded pygments from 2.5.2 to 2.7.4.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

== Security fixes ==
* (T270453, CVE-2021-30153) SECURITY: ApiVisualEditor leaks info about
hidden users.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply
protection they have right to do so via action=protect.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that
user can create pages.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in
fast double move.
* (T276843, CVE-2021-20270, CVE-2021-27291) SECURITY: Various
SyntaxHighlight lexers are vulnerable to DoS.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access
Special:ResetTokens.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-*
messages on Special:NewFiles.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages
onChangesList pages.
* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows
for inserting mostly arbitrary <meta> tags.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T270453
* https://phabricator.wikimedia.org/T270713
* https://phabricator.wikimedia.org/T270988
* https://phabricator.wikimedia.org/T272386
* https://phabricator.wikimedia.org/T276843
* https://phabricator.wikimedia.org/T277009
* https://phabricator.wikimedia.org/T278014
* https://phabricator.wikimedia.org/T278058
* https://phabricator.wikimedia.org/T279451

== Release notes ==

Full release notes for 1.31.13:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.35.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip

Patch to previous version (1.31.12):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip

Patch to previous version (1.35.1):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

_____________________________________________________________________


The 1.31.14 version fixes an issue with the backports in the 1.31.13
release.

The patches linked here need applying on top of the previous patches for
1.31.12. See the previous email for those patches. The full downloads
here contain all the previous fixes from the security and maintenance
release.

Once again, I apologise for the inconvenience of the issues with the
previous release. Going forward, we're going to be looking to run more
testing on the tarballs (in this case, static analysis via Phan) to
hopefully prevent these issues in future.

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.zip

Patch to previous version (1.31.13):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================