Sorry all for the inconvenience. There's a couple of issues relating to some of the backports in the User/ActorMigration changes. As such, I would advise against applying these patches unless you really know what you are doing.
Fixes are being worked on, and will hopefully be released in a few hours. On Thu, 24 Sep 2020 at 16:05, Sam Reed <re...@wikimedia.org> wrote: > I would like to announce the release of MediaWiki 1.34.3, and 1.31.9! > > These releases also serve as a maintenance release for these branches. > > While tarballs have already been uploaded, git tags will follow later on > today. > > An "MediaWiki Extensions Security Release Supplement" email will follow > this one. > > As mentioned in the pre-release announcement, this will potentially be the > final release of the MediaWiki 1.34 branch, barring any unforeseen issues. > For continued support in the future, you are advised to upgrade to > MediaWiki 1.35 in the near future. > > The release announcement for MediaWiki 1.35 will follow this one before > the end of day tomorrow. MediaWiki 1.35 will be supported until September > 2023. > > == Security fixes == > * (T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks > `hideuser`, ignore hidden users. > * (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on > Special:Contributions. > * (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML > within LogEventsList. > * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking > firejail's --output functionality. > * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs > and 'style' attribute. > * (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in > mw.message( ... ).parse(). > * (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the > correct database. > * (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is > used. > * (T251661, CVE-2020-25827) SECURITY: TOTP throttle not enforced > cross-wiki. > > == Links to all mentioned tasks == > * https://phabricator.wikimedia.org/T232568 > * https://phabricator.wikimedia.org/T255918 > * https://phabricator.wikimedia.org/T256171 > * https://phabricator.wikimedia.org/T258763 > * https://phabricator.wikimedia.org/T86738 > * https://phabricator.wikimedia.org/T115888 > * https://phabricator.wikimedia.org/T260485 > * https://phabricator.wikimedia.org/T251661 > > == Release notes == > > Full release notes for 1.31.9: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31 > https://www.mediawiki.org/wiki/Release_notes/1.31 > > Full release notes for 1.34.3: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_34/RELEASE-NOTES-1.34 > https://www.mediawiki.org/wiki/Release_notes/1.34 > > For information about how to upgrade, see > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz > > Patch to previous version (1.31.8): > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.9.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.9.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz > > Patch to previous version (1.34.2): > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-core-1.34.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.3.patch.gz.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ MediaWiki announcements mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce