
Die Enwickler des Open-Source CMS MediWiki veröffentlichten vor wenigen Tagen ein Sicherheitsupdate für die aktuellen Versionen: 1.27.5 – 1.29.3 – 1.30.1 – 1.31.1
Dieses behebt 4 Sicherheitsfehler im Core und weiteren zuvor berichteten Stellen. Anzumerken ist, dass MediaWiki in Version 1.29 seit Juli nicht mehr im Support ist (End-of-Life). Die Version 1.29.3 ist das letzte Update dieser Serie. Ein Upgrade auf Version 1.31 wird empfohlen. Es ist bis zum Juli 2021 im Support.
MediaWiki 1.31.1 Release Notes
- (task T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for ‘user’ overrides ‘newbie’.
- (task T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth’s account lock.
- (task T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
- (task T197229) Bundle Nuke extension, it was accidentally omitted.
- (task T193995) Fix undefined patchPath() method call in parser tests.
- (task T198687) Fix various selectFields methods to use the string ‘NULL’, not null.
- Special:BotPasswords now requires reauthentication.
- (task T191608, (task T187638) Add ‘logid’ parameter to Special:Log.
- (task T193829) Indicate when a Bot Password needs reset.
- (task T198037) GitInfo: Don’t try shelling out if it’s disabled.
- (task T151415) Log email changes.
- (task T197206) Fix performance regression when multiple DB used without caching.
- (task T197030) PHPSessionHandler: Suppress headers warnings in initialize().
- (task T182377, task T196793) Exif: Guard against uncountable tag values.
- (task T200861) Fix total breakage of SQLite web upgrade.
- (task T200864) Fix pingback over-reporting on non-MySQL databases
- (task T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
MediaWiki 1.30.1 Release Notes
- (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for ‘user’ overrides ‘newbie’.
- (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth’s account lock.
- (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
- Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
- (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass –with-extensions to enable that feature.
- (T190503) Let built-in web server (maintenance/dev) handle .php requests.
- (T167507) selenium: Run Chrome headlessly.
- selenium: Pass -no-sandbox to Chrome under Docker.
- (T179190) selenium: Move logic for running tests from package.json to selenium.sh
- (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
- Add default edit rate limit of 90 edits/minute for all users.
- (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
- ojs/oojs-ui updated to remove an unnecessary dependancy.
- (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
- (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
- (T196672) The mtime of extension.json files is now able to be zero
- (T180403) Validate $length in padleft/padright parser functions.
- (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
- (T193995) Fix undefined patchPath() method call in parser tests.
- Special:BotPasswords now requires reauthentication.
- (T191608, T187638) Add ‘logid’ parameter to Special:Log.
- (T193829) Indicate when a Bot Password needs reset.
- (T151415) Log email changes.
- (T200861) Fix total breakage of SQLite web upgrade.
- (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.
- (T190539) Explicitly require Postgres 9.1.
- (T118420) Unbreak Oracle installer.
MediaWiki 1.29.3 Release Notes
- (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for ‘user’ overrides
‘newbie’. - (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth’s account lock.
- (T180551) Fix LanguageSrTest for language converter
- (T180552) Fix langauge converter parser test with self-close tags
- (T180537) Remove $wgAuth usage from wrapOldPasswords.php
- (T180485) InputBox: Have inputbox langconvert certain attributes
- (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
- (T172927) Drop vendor from MW release branch
- (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
- Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
- (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass –with-extensions to enable that feature.
- (T182381) Mask deprecated call in WatchedItemUnitTest
- (T190503) Let built-in web server (maintenance/dev) handle .php requests. The karma qunit tests would fail on some configuration due to headers already sent. Check headers_sent() before sending cpPosTime headers
- (T167507) selenium: Run Chrome headlessly. selenium: Pass -no-sandbox to Chrome under Docker
- (T191247) Use MediaWiki\SuppressWarnings around trigger_error() instead @
- (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel fails under SQLite.
- (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
- (T179190) selenium: Move test running logic from package.json to selenium.sh.
- (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
- Add default edit rate limit of 90 edits/minute for all users.
- (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
- (T196672) The mtime of extension.json files is now able to be zero
- (T180403) Validate $length in padleft/padright parser functions.
- (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
- (T194237) Special:BotPasswords now requires reauthentication.
- (T191608, T187638) Add ‘logid’ parameter to Special:Log.
- (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
- (T193829) Indicate when a Bot Password needs reset.
- (T151415) Log email changes.
- (T118420) Unbreak Oracle installer.
MediaWiki 1.27.5 Release Notes
- (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for ‘user’ overrides ‘newbie’.
- (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth’s account lock.
- Upgraded Moment.js from v2.8.4 to v2.19.3.
- (T160298) Fixed Special:ActiveUsers due to bad backport.
- (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
- Updated list of SPDX licenses for extensions.
- (T189567) the CLI installer (maintenance/install.php) learned to detect and include extensions. Pass –with-extensions to enable that feature.
- (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
- Add default edit rate limit of 90 edits/minute for all users.
- (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
- (T196672) The mtime of extension.json files is now able to be zero.
- (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
- (T180403) Validate $length in padleft/padright parser functions.
- (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
- Special:BotPasswords now requires reauthentication.
- (T191608, T187638) Add ‘logid’ parameter to Special:Log.
- (T193829) Indicate when a Bot Password needs reset.
- (T151415) Log email changes.
- (T118420) Unbreak Oracle installer.