This is great, thank you!
As an LTS user, does anybody know about an overview what has changed since 1.31 LTS?
Would be a great help to have some information about differences/new features/breakting
changes between LTS versions and maybe also specific upgrade instructions.
regards,
Bernhard
----- Am 25. Sep 2020 um 18:19 schrieb Sam Reed <reedy(a)wikimedia.org>rg>:
I am happy to announce the belated availability of the
general release of
MediaWiki 1.35!
Tarballs have already been uploaded, and the git tag
has been pushed.
Thanks to everyone who helped out with this release,
especially thanks to those
who tested out the release candidates and provided feedback, as well as the
developers who worked hard to get several important fixes merged in time for
the 1.35 final release. To see what's changed in 1.35, see the release notes
below.
Please note that the PHP version requirement has been
raised from 7.2.9 in
MediaWiki 1.34 (and 7.0 in MediaWiki 1.31), to 7.3.19.
MediaWiki 1.35 is an LTS and is due to be supported
until the end of September
2023.
As a reminder, 1.31 is due to become end of life in
June 2021. 1.34 is due to
become end of life in November 2020.
As per the pre-release announcement, 1.35.0 also
includes some security fixes
that weren't in the release candidates, which came out yesterday for the ther
supported MediaWiki branches.
Known/outstanding issues:
* VisualEditor and Parsoid are now bundled in the tarball and no longer need a
separate Node.js service. The documentation for this still may still require
some updates. Please report any bugs [2] if this affects you.
* (T259685) Zeroconf (zero-configuration) VisualEditor/Parsoid doesn't work
using SQLite as the database backend for MediaWiki. This is due to the lack of
write concurrency in SQLite. If you wish to use this feature, it is recommended
to use MySQL/MariaDB rather than SQLite.
* Watchlist expiry (behind the $wgWatchlistExpiry flag) is currently still
experimental. It should become stable in a later point release. Please report
any issues/bugs [3].
== Security fixes ==
* (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks
`hideuser`, ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message(
... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct
database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced cross-wiki.
=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when clicking
<select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to [
http://watchpage.mw/ |
watchpage.mw ] event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader
hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message(
... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct
database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l