[MediaWiki-announce] Security Release - 1.27.1, 1.26.4, 1.23.15
Chad Horohoe
chorohoe at wikimedia.org
Tue Aug 23 01:15:11 UTC 2016
I would like to announce the release of MediaWiki 1.27.1, 1.26.4, 1.23.15!
These releases fix five security issues in core and one for the extension
PdfHandler. Download links are given at the end of this email.
== Security fixes ==
* (T139565) API: Generate head items in the context of the given title
(CVE-2016-6335)
* (T137264) XSS in unclosed internal links (CVE-2016-6334)
* (T133147) Escape '<' and ']]>' in inline <style> blocks (CVE-2016-6333)
* (T133147) Require login to preview user CSS pages (CVE-2016-6333)
* (T132926) Do not allow undeleting a revision deleted file if it is the
top file (CVE-2016-6336)
* (T129738) Make $wgBlockDisablesLogin also restrict logged in permissions
(CVE-2016-6332)
* (T129738) Make blocks log users out if $wgBlockDisablesLogin is true
(CVE-2016-6332)
* (T115333) Check read permission when loading page content in ApiParse
(CVE-2016-6331)
* (T57548) Remove support for $wgWellFormedXml = false, all output is now
well formed
The following only affects 1.27 and above and is not included in the 1.26
and 1.23 upgrade:
* (T139670) Move 'UserGetRights' call before application of
Session::getAllowedUserRights() (CVE-2016-6337)
The following fix is for the PdfHandler extension:
* (T136402) Add -dSAFER to ghostscript as hardening measure
== Release notes ==
Full release notes for 1.27.1:
<https://www.mediawiki.org/wiki/Release_notes/1.27>
Full release notes for 1.26.4:
<https://www.mediawiki.org/wiki/Release_notes/1.26>
Full release notes for 1.23.15:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
1.27.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.1.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.1.tar.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.26.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.4.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.26/mediawiki-core-1.26.4.tar.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.23.15
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.15.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.15.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.15.tar.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
-Chad H.
More information about the MediaWiki-announce
mailing list