Hi, I believe they are coming.
-bawolff On Wednesday, November 15, 2017, Seb35 <seb35wikipe...@gmail.com> wrote: > Hi! > > There is no corresponding Git tags 1.29.2, 1.28.3, 1.27.4, could someone > issue them? > > I guess they are respectively ee7f9fe, 5b85506, a806476. > > Thanks! > ~ Seb35 > > Le 15/11/2017 à 00:37, Sam Reed a écrit : >> I would like to announce the release of MediaWiki 1.29.2, 1.28.3 and 1.27.4! >> >> These releases fix nine security issues in core and one related issue in >> the vendor >> folder. Download links are given at the end of this email. >> >> Patches will be pushed to gerrit after this email is sent, and will land >> into the relevant >> branches as fast as our CI infrastructure allows. Git tags will follow soon >> after. All related >> tasks will be made public in phabricator too in the following few hours. >> >> Please note that this month is the End-Of-Life date for MediaWiki 1.28. This >> means that MediaWiki 1.28.3 will be the last security release for that >> version, barring any unforeseen issues. We would strongly encourage users of >> MediaWiki 1.28 to upgrade to MediaWiki 1.29, released in July 2017, or a yet >> newer version as soon as possible. MediaWiki 1.29 will be supported until >> July >> 2018. See <https://www.mediawiki.org/wiki/Version_lifecycle> for more >> information. >> >> This release also serves as a maintenance release for these branches. >> >> == Security fixes == >> * (T128209) Reflected File Download from api.php. Reported by Abdullah >> Hussam. (CVE-2017-8809) >> * (T165846) BotPasswords doesn't throttle login attempts. >> * (T134100) On private wikis, login form shouldn't distinguish between >> login failure >> due to bad username and bad password. (CVE-2017-8810) >> * (T178451) XSS when $wgShowExceptionDetails = false and browser sends >> non-standard url escaping. (CVE-2017-8808) >> * (T176247) It's possible to mangle HTML via raw message parameter >> expansion. >> (CVE-2017-8811) >> * (T125163) id attribute on headlines allow raw >. (CVE-2017-8812) >> * (T124404) language converter can be tricked into replacing text inside >> tags by >> adding a lot of junk after the rule definition. (CVE-2017-8814) >> * (T119158) Language converter: unsafe attribute injection via glossary >> rules (CVE-2017-8815) >> >> The following only affects 1.29: >> * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't >> correctly fixed in all >> branches in the previous security release. (CVE-2017-0361) >> >> The following only affects 1.27 and 1.28: >> * (T180231) composer.json has require-dev versions of PHPUnit with known >> security >> issues. Reported by Tom Hutchison. (CVE-2017-9841) >> >> It is recommended to run `composer update --no-dev` after upgrading to MW >> 1.27.4 or >> 1.28.3 if you installed MediaWiki via git. If you are using the tarball, >> you are not affected, >> and you do not need to run this command. This will remove developer >> dependancies that >> production wikis do not require. If you require developer dependancies, run >> `composer update` which will update to a version of PHPUnit without known >> RCE. >> >> If you cannot run `composer update` for any reason, it is recommended that >> you delete the >> offending file as a minimum yourself using the following command: >> >> `rm -rf vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php` >> >> == Links to all mentioned tasks == >> https://phabricator.wikimedia.org/T128209 >> https://phabricator.wikimedia.org/T165846 >> https://phabricator.wikimedia.org/T134100 >> https://phabricator.wikimedia.org/T178451 >> https://phabricator.wikimedia.org/T176247 >> https://phabricator.wikimedia.org/T125163 >> https://phabricator.wikimedia.org/T180231 >> https://phabricator.wikimedia.org/T125163 >> https://phabricator.wikimedia.org/T124404 >> https://phabricator.wikimedia.org/T119158 >> https://phabricator.wikimedia.org/T180488 >> https://phabricator.wikimedia.org/T125177 >> >> == Release notes == >> >> Full release notes for 1.27.4: >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27 >> https://www.mediawiki.org/wiki/Release_notes/1.27 >> >> Full release notes for 1.28.3: >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_28/RELEASE-NOTES-1.28 >> https://www.mediawiki.org/wiki/Release_notes/1.28 >> >> Full release notes for 1.29.2: >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_29/RELEASE-NOTES-1.29 >> https://www.mediawiki.org/wiki/Release_notes/1.29 >> >> For information about how to upgrade, see >> <https://www.mediawiki.org/wiki/Manual:Upgrading> >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz >> >> Patch to previous version (1.27.3): >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz >> >> GPG signatures: >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-core-1.27.4.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.4.patch.gz.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz >> >> Patch to previous version (1.28.2): >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.patch.gz >> >> GPG signatures: >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-core-1.28.3.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.3.patch.gz.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz >> >> Patch to previous version (1.29.1): >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.patch.gz >> >> GPG signatures: >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-core-1.29.2.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.patch.gz.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
