Hi! There is no corresponding Git tags 1.29.2, 1.28.3, 1.27.4, could someone issue them?
I guess they are respectively ee7f9fe, 5b85506, a806476. Thanks! ~ Seb35 Le 15/11/2017 à 00:37, Sam Reed a écrit : > I would like to announce the release of MediaWiki 1.29.2, 1.28.3 and 1.27.4! > > These releases fix nine security issues in core and one related issue in > the vendor > folder. Download links are given at the end of this email. > > Patches will be pushed to gerrit after this email is sent, and will land > into the relevant > branches as fast as our CI infrastructure allows. Git tags will follow soon > after. All related > tasks will be made public in phabricator too in the following few hours. > > Please note that this month is the End-Of-Life date for MediaWiki 1.28. This > means that MediaWiki 1.28.3 will be the last security release for that > version, barring any unforeseen issues. We would strongly encourage users of > MediaWiki 1.28 to upgrade to MediaWiki 1.29, released in July 2017, or a yet > newer version as soon as possible. MediaWiki 1.29 will be supported until > July > 2018. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more > information. > > This release also serves as a maintenance release for these branches. > > == Security fixes == > * (T128209) Reflected File Download from api.php. Reported by Abdullah > Hussam. (CVE-2017-8809) > * (T165846) BotPasswords doesn't throttle login attempts. > * (T134100) On private wikis, login form shouldn't distinguish between > login failure > due to bad username and bad password. (CVE-2017-8810) > * (T178451) XSS when $wgShowExceptionDetails = false and browser sends > non-standard url escaping. (CVE-2017-8808) > * (T176247) It's possible to mangle HTML via raw message parameter > expansion. > (CVE-2017-8811) > * (T125163) id attribute on headlines allow raw >. (CVE-2017-8812) > * (T124404) language converter can be tricked into replacing text inside > tags by > adding a lot of junk after the rule definition. (CVE-2017-8814) > * (T119158) Language converter: unsafe attribute injection via glossary > rules (CVE-2017-8815) > > The following only affects 1.29: > * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't > correctly fixed in all > branches in the previous security release. (CVE-2017-0361) > > The following only affects 1.27 and 1.28: > * (T180231) composer.json has require-dev versions of PHPUnit with known > security > issues. Reported by Tom Hutchison. (CVE-2017-9841) > > It is recommended to run `composer update --no-dev` after upgrading to MW > 1.27.4 or > 1.28.3 if you installed MediaWiki via git. If you are using the tarball, > you are not affected, > and you do not need to run this command. This will remove developer > dependancies that > production wikis do not require. If you require developer dependancies, run > `composer update` which will update to a version of PHPUnit without known > RCE. > > If you cannot run `composer update` for any reason, it is recommended that > you delete the > offending file as a minimum yourself using the following command: > > `rm -rf vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php` > > == Links to all mentioned tasks == > https://phabricator.wikimedia.org/T128209 > https://phabricator.wikimedia.org/T165846 > https://phabricator.wikimedia.org/T134100 > https://phabricator.wikimedia.org/T178451 > https://phabricator.wikimedia.org/T176247 > https://phabricator.wikimedia.org/T125163 > https://phabricator.wikimedia.org/T180231 > https://phabricator.wikimedia.org/T125163 > https://phabricator.wikimedia.org/T124404 > https://phabricator.wikimedia.org/T119158 > https://phabricator.wikimedia.org/T180488 > https://phabricator.wikimedia.org/T125177 > > == Release notes == > > Full release notes for 1.27.4: > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27 > https://www.mediawiki.org/wiki/Release_notes/1.27 > > Full release notes for 1.28.3: > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES-1.28 > https://www.mediawiki.org/wiki/Release_notes/1.28 > > Full release notes for 1.29.2: > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29 > https://www.mediawiki.org/wiki/Release_notes/1.29 > > For information about how to upgrade, see > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz > > Patch to previous version (1.27.3): > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz > > Patch to previous version (1.28.2): > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz > > Patch to previous version (1.29.1): > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
