[MediaWiki-announce] Security Release: 1.25.3, 1.24.4 and 1.23.11
Chad
innocentkiller at gmail.com
Fri Oct 16 18:08:44 UTC 2015
I would like to announce the release of MediaWiki 1.25.3, 1.24.4, and
1.23.11.
These releases fix five security issues in core, in addition to other bug
fixes. Download links are given at the end of this email
== Security fixes ==
* Wikipedia user RobinHood70 reported two issues in the chunked upload API.
The
API failed to correctly stop adding new chunks to the upload when the
reported
size was exceeded (T91203), allowing a malicious users to upload add an
infinite number of chunks for a single file upload. Additionally, a
malicious
user could upload chunks of 1 byte for very large files, potentially
creating
a very large number of files on the server's filesystem (T91205).
<https://phabricator.wikimedia.org/T91203>
<https://phabricator.wikimedia.org/T91205>
* Internal review discovered that it is not possible to throttle file
uploads.
<https://phabricator.wikimedia.org/T91850>
* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the 'viewsuppressed'
user
right but not the appropriate 'suppressrevision' user right to unsuppress
revisions.
<https://phabricator.wikimedia.org/T95589>
* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata.
<https://phabricator.wikimedia.org/T108616>
== Bug Fixes in 1.25.3 ==
* Fix having multiple callbacks for a single hook.
<https://phabricator.wikimedia.org/T98975>
* maintenance/refreshLinks.php did not always remove all links pointing to
nonexistent pages.
<https://phabricator.wikimedia.org/T107632>
* $wgEmergencyContact and $wgPasswordSender now use their default value if
set
to an empty string.
<https://phabricator.wikimedia.org/T104142>
* Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It
was
causing an error when accessing the api help page if the mbstring PHP
extension was not installed.
<https://phabricator.wikimedia.org/T62174>
* Confirmation emails would sometimes contain invalid codes.
<https://phabricator.wikimedia.org/T105896>
* Fixed edit stash inclusion queries.
<https://phabricator.wikimedia.org/T105597>
== Bug Fixes in 1.24.4 ==
* Minimal PSR-3 debug logger to support backports from 1.25+.
<https://phabricator.wikimedia.org/T91653>
* Fix indexing of moved pages with PostgreSQL. Requires running
update.php to fix.
<https://phabricator.wikimedia.org/T68650>
== Release notes ==
Full release notes for 1.25.3:
<https://www.mediawiki.org/wiki/Release_notes/1.25>
Full release notes for 1.24.4:
<https://www.mediawiki.org/wiki/Release_notes/1.24>
Full release notes for 1.23.11:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
1.25.3
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.3.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.3.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-core-1.25.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.25/mediawiki-i18n-1.25.3.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.24.4
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.4.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.4.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-i18n-1.24.4.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
1.23.11
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.11.tar.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.11.tar.gz
Patch to previous version:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.11.patch.gz
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.11.patch.gz
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.11.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-i18n-1.23.11.patch.gz.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
-Chad
More information about the MediaWiki-announce
mailing list