Hi,
I believe they are coming.
-bawolff
On Wednesday, November 15, 2017, Seb35 <seb35wikipedia(a)gmail.com> wrote:
Hi!
There is no corresponding Git tags 1.29.2, 1.28.3, 1.27.4, could someone
issue them?
I guess they are respectively ee7f9fe, 5b85506, a806476.
Thanks!
~ Seb35
Le 15/11/2017 à 00:37, Sam Reed a écrit :
> I would like to announce the release of MediaWiki 1.29.2, 1.28.3 and
1.27.4!
>
> These releases fix nine security issues in core and one related issue in
> the vendor
> folder. Download links are given at the end of this email.
>
> Patches will be pushed to gerrit after this email is sent, and will land
> into the relevant
> branches as fast as our CI infrastructure allows. Git tags will follow
soon
> after. All related
> tasks will be made public in phabricator too in the following few hours.
>
> Please note that this month is the End-Of-Life date for MediaWiki 1.28.
This
> means that MediaWiki 1.28.3 will be the last
security release for that
> version, barring any unforeseen issues. We would strongly encourage
users of
> MediaWiki 1.28 to upgrade to MediaWiki 1.29,
released in July 2017, or a
yet
> newer version as soon as possible. MediaWiki 1.29
will be supported until
> July
> 2018. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more
> information.
>
> This release also serves as a maintenance release for these branches.
>
> == Security fixes ==
> * (T128209) Reflected File Download from api.php. Reported by Abdullah
> Hussam. (CVE-2017-8809)
> * (T165846) BotPasswords doesn't throttle login attempts.
> * (T134100) On private wikis, login form shouldn't distinguish between
> login failure
> due to bad username and bad password. (CVE-2017-8810)
> * (T178451) XSS when $wgShowExceptionDetails = false and browser sends
> non-standard url escaping. (CVE-2017-8808)
> * (T176247) It's possible to mangle HTML via raw message parameter
> expansion.
> (CVE-2017-8811)
> * (T125163) id attribute on headlines allow raw >. (CVE-2017-8812)
> * (T124404) language converter can be tricked into replacing text inside
> tags by
> adding a lot of junk after the rule definition. (CVE-2017-8814)
> * (T119158) Language converter: unsafe attribute injection via glossary
> rules (CVE-2017-8815)
>
> The following only affects 1.29:
> * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't
> correctly fixed in all
> branches in the previous security release. (CVE-2017-0361)
>
> The following only affects 1.27 and 1.28:
> * (T180231) composer.json has require-dev versions of PHPUnit with known
> security
> issues. Reported by Tom Hutchison. (CVE-2017-9841)
>
> It is recommended to run `composer update --no-dev` after upgrading to MW
> 1.27.4 or
> 1.28.3 if you installed MediaWiki via git. If you are using the tarball,
> you are not affected,
> and you do not need to run this command. This will remove developer
> dependancies that
> production wikis do not require. If you require developer dependancies,
run
> `composer update` which will update to a version
of PHPUnit without known
> RCE.
>
> If you cannot run `composer update` for any reason, it is recommended
that
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES…
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES…
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES…
>
https://www.mediawiki.org/wiki/Release_notes/1.29
>
> For information about how to upgrade, see
> <https://www.mediawiki.org/wiki/Manual:Upgrading>
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz.sig
>
> Public keys:
>
https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.patch.gz.sig
>
> Public keys:
>
https://www.mediawiki.org/keys/keys.html
>
> **********************************************************************
> Download:
>
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz
>
> Download without bundled extensions:
>
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz.…
https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l