Wikimedia Developer Support

[MediaWiki-l] Security and maintenance release: 1.27.6 / 1.30.2 / 1.31.2 / 1.32.2


#1

Hi all,

I would like to announce the release of MediaWiki 1.32.2, 1.31.2, 1.30.2
and 1.27.6!

These releases fix 11 security issues in core (not 12 as reported in the
pre-release announcement. This was a mistake, sorry!) and also includes
some previously committed to git as minor security and hardening patches.
Download links are given at the end of this email.

Patches will be pushed to Gerrit after this email is sent, and will land
into the relevant branches as fast as our CI infrastructure allows.
Git tags will follow soon after. All related tasks will be made public
in Phabricator too in the following few hours.

Please note that December 2018 was the End-Of-Life date for MediaWiki
1.30. This means that MediaWiki 1.30.2 will be the last security release for
that version, barring any unforeseen issues. We would strongly encourage
users
of MediaWiki 1.30 to upgrade to MediaWiki 1.31 (LTS version), released in
June
2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be
supported until July 2021. See
<https://www.mediawiki.org/wiki/Version_lifecycle> for more information.

June 2019 is the scheduled End-Of-Life date for MediaWiki 1.27 (the old LTS
version). This means that MediaWiki 1.27.6 will be the last security
release for
that version, barring any unforeseen issues. We would strongly encourage
users
of MediaWiki 1.27 to upgrade to MediaWiki 1.31 (LTS version), released in
June
2018, or a yet newer version as soon as possible. MediaWiki 1.31 will be
supported until July 2021. See
<https://www.mediawiki.org/wiki/Version_lifecycle> for more information.

This release also serves as a maintenance release for these branches.

== Security fixes ==
* (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would
allow
  for bypassing reauthentication, allowing for potential account takeover.
* (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a
DoS
  by querying the entire `watchlist` table.
* (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent
account
  allows anyone to create the account, and XSS the users' loading that
script.
* (T208881) blacklist CSS var().
* (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range
  blocks (`$wgBlockCIDRLimit`) by using the API.
* (T212118, CVE-2019-12474) Privileged API responses that include whether a
  recent change has been patrolled may be cached publicly.
* (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send
out
  spam with no rate limiting or ability to block them.
* (T25227, CVE-2019-12466) An account can be logged out without using a
token
  (CSRF).
* (T222036, CVE-2019-12469) Exposed suppressed username or log in
  Special:EditTags.
* (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page.
* (T221739, CVE-2019-11358) Fix potential XSS in jQuery.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T197279
* https://phabricator.wikimedia.org/T204729
* https://phabricator.wikimedia.org/T207603
* https://phabricator.wikimedia.org/T208881
* https://phabricator.wikimedia.org/T199540
* https://phabricator.wikimedia.org/T212118
* https://phabricator.wikimedia.org/T209794
* https://phabricator.wikimedia.org/T222036
* https://phabricator.wikimedia.org/T222038
* https://phabricator.wikimedia.org/T221739
* https://phabricator.wikimedia.org/T25227

== Release notes ==

Full release notes for 1.27.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27
https://www.mediawiki.org/wiki/Release_notes/1.27

Full release notes for 1.30.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_30/RELEASE-NOTES-1.30
https://www.mediawiki.org/wiki/Release_notes/1.30

Full release notes for 1.31.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.32.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.32
https://www.mediawiki.org/wiki/Release_notes/1.32

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>