[MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

Sam Reed
I would like to announce the release of MediaWiki 1.34.2, 1.33.4 and 1.31.8!

These releases also serve as a maintenance release for these branches.

We've noted that this is minor, and as such you don't need to apply them as
quickly as with other security releases, if you're unable to do so, or if
you're not running a private wiki. We therefore decided to continue with
getting the security (and maintenance) release out for this quarter as
planned, even with the global situation as is.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

As mentioned in the pre-release announcement, this will be the final
release of the MediaWiki 1.33 branch, barring any unforeseen issues. If you
are currently running 1.33, you are advised to upgrade to a newer,
supported version of MediaWiki, which as of writing is MediaWiki 1.34 (as
1.35 has not been released yet). MediaWiki 1.34 will be supported until
November 2020. A separate notification of this will be sent out too.

== Security fixes ==
* (T248947) img_auth.php may leak private extension images into the public
cache. CVE-2020-15005

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T248947

== Release notes ==

Full release notes for 1.31.8:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.33.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_33/RELEASE-NOTES-1.33
https://www.mediawiki.org/wiki/Release_notes/1.33

Full release notes for 1.34.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
https://www.mediawiki.org/wiki/Release_notes/1.34

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz

Patch to previous version (1.31.7):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz

Patch to previous version (1.33.3):
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz

Patch to previous version (1.34.1):
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

Marshall Lake

I'm running an older version of MediaWiki ... 1.27.4

I installed it via the Software Manager on Mint 19.3.  1.27.4 seems to be
the only version available on the Software Manager.  I attempted to
install a later version via a tarball but ran into problems.

Is it possible to obtain a current version using the Software Manager?



On Wed, 24 Jun 2020, Sam Reed wrote:

> I would like to announce the release of MediaWiki 1.34.2, 1.33.4 and 1.31.8!
>
> These releases also serve as a maintenance release for these branches.
>
> We've noted that this is minor, and as such you don't need to apply them as
> quickly as with other security releases, if you're unable to do so, or if
> you're not running a private wiki. We therefore decided to continue with
> getting the security (and maintenance) release out for this quarter as
> planned, even with the global situation as is.
>
> While tarballs have already been uploaded, git tags will follow later on
> today.
>
> An "MediaWiki Extensions Security Release Supplement" email will follow
> this one.
>
> As mentioned in the pre-release announcement, this will be the final
> release of the MediaWiki 1.33 branch, barring any unforeseen issues. If you
> are currently running 1.33, you are advised to upgrade to a newer,
> supported version of MediaWiki, which as of writing is MediaWiki 1.34 (as
> 1.35 has not been released yet). MediaWiki 1.34 will be supported until
> November 2020. A separate notification of this will be sent out too.
>
> == Security fixes ==
> * (T248947) img_auth.php may leak private extension images into the public
> cache. CVE-2020-15005
>
> == Links to all mentioned tasks ==
> * https://phabricator.wikimedia.org/T248947
>
> == Release notes ==
>
> Full release notes for 1.31.8:
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
> https://www.mediawiki.org/wiki/Release_notes/1.31
>
> Full release notes for 1.33.4:
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_33/RELEASE-NOTES-1.33
> https://www.mediawiki.org/wiki/Release_notes/1.33
>
> Full release notes for 1.34.2:
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
> https://www.mediawiki.org/wiki/Release_notes/1.34
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz
>
> Patch to previous version (1.31.7):
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz
>
> Patch to previous version (1.33.3):
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz
>
> Download without bundled extensions:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz
>
> Patch to previous version (1.34.1):
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz
>
> GPG signatures:
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz.sig
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz.sig
>
> Public keys:
> https://www.mediawiki.org/keys/keys.html
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

--
Marshall Lake -- [hidden email] -- http://www.mlake.net

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Mediawiki on Mint 19.3 (was: Security and maintenance release...)

Jeffrey Walton
On Wed, Jun 24, 2020 at 2:16 PM Marshall Lake <[hidden email]> wrote:
>
> I'm running an older version of MediaWiki ... 1.27.4
>
> I installed it via the Software Manager on Mint 19.3.  1.27.4 seems to be
> the only version available on the Software Manager.  I attempted to
> install a later version via a tarball but ran into problems.
>
> Is it possible to obtain a current version using the Software Manager?

I don't have a Mint 19.3 release to test, but you can probably get
something more recent if you perform a dist-upgrade. But it probably
won't be the latest, like MW 1.34.2.

When working with distros that provide old software, you will probably
need to do something like this:
https://github.com/weidai11/website/blob/master/mediawiki/wiki-upgrade.txt.
They are the instructions I use to keep a CentOS 7 box current.

If that looks too complex, then consider moving to Fedora. Fedora
provides the latest software available during its release. Fedora
releases every 6 months, so every 6 months you do the equivalent of a
dist-upgrade using
https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/.

Jeff

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

Sam Reed
In reply to this post by Marshall Lake
The mint package search tool at http://packages.linuxmint.com/ is currently
pretty broken... So I can't tell you what's in 20, and as such, whether
upgrading your OS will help

But as it's a Debian derivative, and
https://packages.debian.org/buster/mediawiki exists... It shouldn't be
difficult for them to bring in the packages from upstream

On Wed, 24 Jun 2020 at 19:15, Marshall Lake <[hidden email]> wrote:

>
> I'm running an older version of MediaWiki ... 1.27.4
>
> I installed it via the Software Manager on Mint 19.3.  1.27.4 seems to be
> the only version available on the Software Manager.  I attempted to
> install a later version via a tarball but ran into problems.
>
> Is it possible to obtain a current version using the Software Manager?
>
>
>
> On Wed, 24 Jun 2020, Sam Reed wrote:
>
> > I would like to announce the release of MediaWiki 1.34.2, 1.33.4 and
> 1.31.8!
> >
> > These releases also serve as a maintenance release for these branches.
> >
> > We've noted that this is minor, and as such you don't need to apply them
> as
> > quickly as with other security releases, if you're unable to do so, or if
> > you're not running a private wiki. We therefore decided to continue with
> > getting the security (and maintenance) release out for this quarter as
> > planned, even with the global situation as is.
> >
> > While tarballs have already been uploaded, git tags will follow later on
> > today.
> >
> > An "MediaWiki Extensions Security Release Supplement" email will follow
> > this one.
> >
> > As mentioned in the pre-release announcement, this will be the final
> > release of the MediaWiki 1.33 branch, barring any unforeseen issues. If
> you
> > are currently running 1.33, you are advised to upgrade to a newer,
> > supported version of MediaWiki, which as of writing is MediaWiki 1.34 (as
> > 1.35 has not been released yet). MediaWiki 1.34 will be supported until
> > November 2020. A separate notification of this will be sent out too.
> >
> > == Security fixes ==
> > * (T248947) img_auth.php may leak private extension images into the
> public
> > cache. CVE-2020-15005
> >
> > == Links to all mentioned tasks ==
> > * https://phabricator.wikimedia.org/T248947
> >
> > == Release notes ==
> >
> > Full release notes for 1.31.8:
> >
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
> > https://www.mediawiki.org/wiki/Release_notes/1.31
> >
> > Full release notes for 1.33.4:
> >
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_33/RELEASE-NOTES-1.33
> > https://www.mediawiki.org/wiki/Release_notes/1.33
> >
> > Full release notes for 1.34.2:
> >
> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34
> > https://www.mediawiki.org/wiki/Release_notes/1.34
> >
> > For information about how to upgrade, see
> > <https://www.mediawiki.org/wiki/Manual:Upgrading>
> >
> > **********************************************************************
> > Download:
> > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz
> >
> > Download without bundled extensions:
> >
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz
> >
> > Patch to previous version (1.31.7):
> > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz
> >
> > GPG signatures:
> >
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.8.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz.sig
> >
> > Public keys:
> > https://www.mediawiki.org/keys/keys.html
> >
> > **********************************************************************
> > Download:
> > https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz
> >
> > Download without bundled extensions:
> >
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz
> >
> > Patch to previous version (1.33.3):
> > https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz
> >
> > GPG signatures:
> >
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-core-1.33.4.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.33/mediawiki-1.33.4.patch.gz.sig
> >
> > Public keys:
> > https://www.mediawiki.org/keys/keys.html
> >
> > **********************************************************************
> > Download:
> > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz
> >
> > Download without bundled extensions:
> >
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz
> >
> > Patch to previous version (1.34.1):
> > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz
> >
> > GPG signatures:
> >
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.2.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz.sig
> >
> https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.patch.gz.sig
> >
> > Public keys:
> > https://www.mediawiki.org/keys/keys.html
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> --
> Marshall Lake -- [hidden email] -- http://www.mlake.net
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

Kunal Mehta
In reply to this post by Marshall Lake
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 2020-06-24 11:15, Marshall Lake wrote:

>
> I'm running an older version of MediaWiki ... 1.27.4
>
> I installed it via the Software Manager on Mint 19.3.  1.27.4 seems
> to be the only version available on the Software Manager.  I
> attempted to install a later version via a tarball but ran into
> problems.
>
> Is it possible to obtain a current version using the Software
> Manager?

I've never tested with Linux Mint before, but my understanding is that
it should be close enough to Ubuntu that you can use my PPA
<https://launchpad.net/~legoktm/+archive/ubuntu/mediawiki-lts> to get
updated packages.

If it doesn't work out, let me know and I'll see what I can do to help
get working packages for Mint.

- -- Legoktm
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAl7zxmQACgkQ8QX4EBsF
JpsGkxAAlVUyMeFHsynuFeMSz15YTWAuTsGkpaTGBQjSQ4G9aqGb59tNPpBBAZQB
D0Vn7ZBI0hwJRUFBh58ouGNYJBFVyj1XKh7znfKUur5TPRjrOjyscko5ss/Tv26f
KTiv6gZRH+QQ2U7hExB1a+XS8WELzao7qFBS1pu4Hx+4OOO6qUdiZVS2JKoyMk3Z
RDMej4dpTaYh3WwVWFa9bh9LldhoSs8YKTortwbnjulofLqCIwZv0RMFCtCNqtfv
HhwP8aja1ryi/T/m3IfDvKPQIMTyDP/SGcLqI8wMV0LrQKJCu2PvnSQTADcuyBTR
BFCodyYPnoGHJFcLWayVa4AUkOXcavEwqnfnr1cgQiudJcoWSodQI2NdODYDctyZ
CM5UzPWCMlMFPP8PI2bhJzF1IlJ6eTGXlqIIw2TlV98CaAg8o8CwYKfFj4BdeR8E
ZIxUJVcHiL6/o4l6fxYiQTaKj4NoCvsJkYIYjc95AH442UVw67DeB16brDfpJs+x
9L4tYYMAD064BNqJkLgelhwq2GbOlKM/7tOURcXGmCR6XAh6VUCO+w1TWLc5w8LS
cMJkoBsut9QYhlRk6dQCvKvnkIrAox/aREBZVN/e/hL+BYm97gn4ho6SVtt1p1b0
3B/WqSEoIT1RPQpz5J3hz09gXvwCo7MsTGCMzxEms5gLen+Jj4M=
=f7Ku
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: [MediaWiki-l] Security and maintenance release: 1.31.8 / 1.33.4 / 1.34.2

Marshall Lake

On Wed, 24 Jun 2020, Kunal Mehta wrote:

> On 2020-06-24 11:15, Marshall Lake wrote:
>>
>> I'm running an older version of MediaWiki ... 1.27.4
>>
>> I installed it via the Software Manager on Mint 19.3.  1.27.4 seems to
>> be the only version available on the Software Manager.  I attempted to
>> install a later version via a tarball but ran into problems.
>>
>> Is it possible to obtain a current version using the Software Manager?

> I've never tested with Linux Mint before, but my understanding is that
> it should be close enough to Ubuntu that you can use my PPA
> <https://launchpad.net/~legoktm/+archive/ubuntu/mediawiki-lts> to get
> updated packages.
>
> If it doesn't work out, let me know and I'll see what I can do to help
> get working packages for Mint.

After adding your PPA and doing "apt-get update ; apt-get upgrade",
MediaWiki v1.31.7 is now installed, although, things are different and I
cannot find the wiki page I was working on.  I'll keep playing with it in
my spare time, but the update/upgrade/install does seem to have worked.

--
Marshall Lake -- [hidden email] -- http://www.mlake.net

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l