Yes, the tags will be following very shortly. It takes a long time for a large pile of changes to make its way through CI.
Apologies for any confusion! -Chad On Thu, Apr 6, 2017 at 3:38 PM James Montalvo <jamesmontal...@gmail.com> wrote: > This is great. Thank you. I don't believe tags were created for 1.27 or > 1.28, though. > > On Apr 6, 2017 4:40 PM, "Chad Horohoe" <choro...@wikimedia.org> wrote: > > > Hello! > > > > I would like to announce the release of MediaWiki 1.28.1, 1.27.2 and > > 1.23.16! > > > > These releases fix five security issues in core and one for the extension > > SyntaxHighlight_GeSHi. Download links are given at the end of this email. > > > > Please note that next month is the End-Of-Life date for MediaWiki 1.23. > > This > > means that MediaWiki 1.23.16 will be the last security release for that > > version, barring any unforeseen issues. We would strongly encourage users > > of > > MediaWiki 1.23 to upgrade to MediaWiki 1.27, released in June 2016, or a > > yet > > newer version as soon as possible. MediaWiki 1.27 will be supported until > > June > > 2019. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more > > information. > > > > This release also serves as a maintenance release for these branches. > > > > == Security fixes == > > * (T109140) (T122209) Special:UserLogin and Special:Search allow redirect > > to interwiki links. (CVE-2017-0363, CVE-2017-0364) > > * (T144845) XSS in SearchHighlighter::highlightText() when > > $wgAdvancedSearchHighlighting is true. (CVE-2017-0365) > > * (T125177) API parameters may now be marked as "sensitive" to keep > > their values out of the logs. (CVE-2017-0361) > > * (T150044) "Mark all pages visited" on the watchlist now requires a CSRF > > token. (CVE-2017-0362) > > * (T156184) Escape content model/format url parameter in message. > > (CVE-2017-0368) > > * (T151735) SVG filter evasion using default attribute values in DTD > > declaration. (CVE-2017-0366) > > * (T48143) Spam blacklist ineffective on encoded URLs inside file > inclusion > > syntax's link parameter. (CVE-2017-0370) > > * (T108138) Sysops can undelete pages, although the page is protected > > against > > it. (CVE-2017-0369) > > > > The following only affects 1.27 and above and is not included in the 1.23 > > upgrade: > > * (T161453) LocalisationCache will no longer use the temporary directory > > in its fallback chain when trying to work out where to write the cache. > > (CVE-2017-0367) > > > > The following fix is for the SyntaxHighlight extension: > > * (T158689) Parameters injection in SyntaxHighlight results in multiple > > vulnerabilities. > > (CVE-2017-0372) > > > > == Links to all mentioned tasks == > > https://phabricator.wikimedia.org/T109140 > > https://phabricator.wikimedia.org/T122209 > > https://phabricator.wikimedia.org/T144845 > > https://phabricator.wikimedia.org/T125177 > > https://phabricator.wikimedia.org/T150044 > > https://phabricator.wikimedia.org/T156184 > > https://phabricator.wikimedia.org/T151735 > > https://phabricator.wikimedia.org/T161453 > > https://phabricator.wikimedia.org/T48143 > > https://phabricator.wikimedia.org/T108138 > > https://phabricator.wikimedia.org/T158689 > > > > == Release notes == > > > > Full release notes for 1.28.1: > > <https://www.mediawiki.org/wiki/Release_notes/1.28> > > > > Full release notes for 1.27.2: > > <https://www.mediawiki.org/wiki/Release_notes/1.27> > > > > Full release notes for 1.23.16: > > <https://www.mediawiki.org/wiki/Release_notes/1.23> > > > > For information about how to upgrade, see > > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > > > ********************************************************************** > > 1.23.16 > > ********************************************************************** > > Download: > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.tar.gz > > > > Download without bundled extensions: > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > > core-1.23.16.tar.gz > > > > Patch to previous version (1.23.15), without interface text: > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.patch.gz > > > > Interface text changes: > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > > i18n-1.23.16.patch.gz > > > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > > core-1.23.16.tar.gz.sig > > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.16.tar.gz.sig > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > > 1.23.16.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.23/mediawiki- > > i18n-1.23.16.patch.gz.sig > > > > Public keys: > > https://www.mediawiki.org/keys/keys.html > > > > ********************************************************************** > > 1.27.2 > > ********************************************************************** > > Download: > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.tar.gz > > > > Download without bundled extensions: > > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.2.tar.gz > > > > Patch to previous version (1.27.1), without interface text: > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.patch.gz > > > > Interface text changes: > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > > i18n-1.27.2.patch.gz > > > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > > core-1.27.2.tar.gz.sig > > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.2.tar.gz.sig > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > > 1.27.2.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.27/mediawiki- > > i18n-1.27.2.patch.gz.sig > > > > Public keys: > > https://www.mediawiki.org/keys/keys.html > > > > ********************************************************************** > > 1.28.1 > > ********************************************************************** > > Download: > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.tar.gz > > > > Download without bundled extensions: > > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.1.tar.gz > > > > Patch to previous version (1.28.0), without interface text: > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.patch.gz > > > > Interface text changes: > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > > i18n-1.28.1.patch.gz > > > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > > core-1.28.1.tar.gz.sig > > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.1.tar.gz.sig > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > > 1.28.1.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.28/mediawiki- > > i18n-1.28.1.patch.gz.sig > > > > Public keys: > > https://www.mediawiki.org/keys/keys.html > > _______________________________________________ > > MediaWiki announcements mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
