This is great. Thank you. I don't believe tags were created for 1.27 or 1.28, though.
On Apr 6, 2017 4:40 PM, "Chad Horohoe" <[email protected]> wrote: > Hello! > > I would like to announce the release of MediaWiki 1.28.1, 1.27.2 and > 1.23.16! > > These releases fix five security issues in core and one for the extension > SyntaxHighlight_GeSHi. Download links are given at the end of this email. > > Please note that next month is the End-Of-Life date for MediaWiki 1.23. > This > means that MediaWiki 1.23.16 will be the last security release for that > version, barring any unforeseen issues. We would strongly encourage users > of > MediaWiki 1.23 to upgrade to MediaWiki 1.27, released in June 2016, or a > yet > newer version as soon as possible. MediaWiki 1.27 will be supported until > June > 2019. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more > information. > > This release also serves as a maintenance release for these branches. > > == Security fixes == > * (T109140) (T122209) Special:UserLogin and Special:Search allow redirect > to interwiki links. (CVE-2017-0363, CVE-2017-0364) > * (T144845) XSS in SearchHighlighter::highlightText() when > $wgAdvancedSearchHighlighting is true. (CVE-2017-0365) > * (T125177) API parameters may now be marked as "sensitive" to keep > their values out of the logs. (CVE-2017-0361) > * (T150044) "Mark all pages visited" on the watchlist now requires a CSRF > token. (CVE-2017-0362) > * (T156184) Escape content model/format url parameter in message. > (CVE-2017-0368) > * (T151735) SVG filter evasion using default attribute values in DTD > declaration. (CVE-2017-0366) > * (T48143) Spam blacklist ineffective on encoded URLs inside file inclusion > syntax's link parameter. (CVE-2017-0370) > * (T108138) Sysops can undelete pages, although the page is protected > against > it. (CVE-2017-0369) > > The following only affects 1.27 and above and is not included in the 1.23 > upgrade: > * (T161453) LocalisationCache will no longer use the temporary directory > in its fallback chain when trying to work out where to write the cache. > (CVE-2017-0367) > > The following fix is for the SyntaxHighlight extension: > * (T158689) Parameters injection in SyntaxHighlight results in multiple > vulnerabilities. > (CVE-2017-0372) > > == Links to all mentioned tasks == > https://phabricator.wikimedia.org/T109140 > https://phabricator.wikimedia.org/T122209 > https://phabricator.wikimedia.org/T144845 > https://phabricator.wikimedia.org/T125177 > https://phabricator.wikimedia.org/T150044 > https://phabricator.wikimedia.org/T156184 > https://phabricator.wikimedia.org/T151735 > https://phabricator.wikimedia.org/T161453 > https://phabricator.wikimedia.org/T48143 > https://phabricator.wikimedia.org/T108138 > https://phabricator.wikimedia.org/T158689 > > == Release notes == > > Full release notes for 1.28.1: > <https://www.mediawiki.org/wiki/Release_notes/1.28> > > Full release notes for 1.27.2: > <https://www.mediawiki.org/wiki/Release_notes/1.27> > > Full release notes for 1.23.16: > <https://www.mediawiki.org/wiki/Release_notes/1.23> > > For information about how to upgrade, see > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > ********************************************************************** > 1.23.16 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > core-1.23.16.tar.gz > > Patch to previous version (1.23.15), without interface text: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.patch.gz > > Interface text changes: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > i18n-1.23.16.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > core-1.23.16.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > 1.23.16.patch.gz.sig > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > i18n-1.23.16.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > 1.27.2 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.2.tar.gz > > Patch to previous version (1.27.1), without interface text: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.patch.gz > > Interface text changes: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > i18n-1.27.2.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > core-1.27.2.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > 1.27.2.patch.gz.sig > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > i18n-1.27.2.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > 1.28.1 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.1.tar.gz > > Patch to previous version (1.28.0), without interface text: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.patch.gz > > Interface text changes: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > i18n-1.28.1.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > core-1.28.1.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > 1.28.1.patch.gz.sig > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > i18n-1.28.1.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ > MediaWiki announcements mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
