diff options
author | Reedy <reedy@wikimedia.org> | 2021-04-08 16:34:10 +0100 |
---|---|---|
committer | Reedy <reedy@wikimedia.org> | 2021-04-08 20:52:50 +0100 |
commit | e5823c068a2e0d8af72538fe5cd152ddb43c58e9 (patch) | |
tree | f2935ef43e0ad19ce7366d1579e12468a946a506 | |
parent | 3db31d9afd94f228af7410f57e0da025fec18793 (diff) |
Prep 1.35.21.35.2
Change-Id: Ifee7d9dc8f7d2a10be35bb3bd0eec2956a06ceb7
-rw-r--r-- | RELEASE-NOTES-1.35 | 29 | ||||
-rw-r--r-- | includes/Defines.php | 2 |
2 files changed, 25 insertions, 6 deletions
diff --git a/RELEASE-NOTES-1.35 b/RELEASE-NOTES-1.35 index 5b7c0b41bf23..18a64d720b9c 100644 --- a/RELEASE-NOTES-1.35 +++ b/RELEASE-NOTES-1.35 @@ -11,7 +11,14 @@ PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ == MediaWiki 1.35.2 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.35 branch. + +MediaWiki 1.35.2 supports Composer 2.0. It is reccommended to make sure your +libraries are up to date on Composer 1.x, before running Composer 2.x. + +While normally running update.php isn't required for point releases, +it is recommended to run it for 1.35.2 so that iwlinks.iwl_prefix is +updated to take 32 characters. === Changes since MediaWiki 1.35.1 === * (T270450) The confusingly-named User->isLoggedIn() method has been deprecated @@ -62,7 +69,8 @@ THIS IS NOT A RELEASE YET * (T269293) Record all used options in metadata. * Allow usage of Composer 2.0 to install MediaWiki's dependencies. * (T259872) skins: Call headElement() after getTemplateData() in SkinMustache. -* (T277009) Allow blocked users to access Special:ResetTokens. +* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access + Special:ResetTokens. * (T272412) Add "Account data" section to user preferences. * (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook. * (T277520) registration: Allow specifying immovable namespaces in @@ -71,8 +79,10 @@ THIS IS NOT A RELEASE YET documented and are not altered by previous calls to these methods. * (T254688) Remove page inner join from subquery in SpecialWhatLinksHere. * (T122124) signup: added help message for security. -* (T278014) Escape mediastatistics-header-* messages on Special:NewFiles. -* (T278058) Escape rcfilters-filter-* messages on ChangesList pages. +* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages + on Special:NewFiles. +* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on + ChangesList pages. * (T277414) HTMLFormField: Use non namespaced class name rather than static::class. * (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php @@ -83,10 +93,19 @@ THIS IS NOT A RELEASE YET config-pingback. * Fix documentation of user-global in $wgRateLimits. * BackupDumper: Add -o as shortcode for --output. +* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. +* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they + have right to do so via action=protect. +* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast + double move. +* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can + create pages. +* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for + inserting mostly arbitrary <meta> tags. == MediaWiki 1.35.1 == -This is a maintenance release of the MediaWiki 1.35 branch. +This is a security and maintenance release of the MediaWiki 1.35 branch. While normally running update.php isn't required for point releases, it is recommended to run it for 1.35.1 so that sites.site_language is diff --git a/includes/Defines.php b/includes/Defines.php index a80b4bb70842..894808903d5f 100644 --- a/includes/Defines.php +++ b/includes/Defines.php @@ -37,7 +37,7 @@ use Wikimedia\Rdbms\IDatabase; * * @since 1.35 */ -define( 'MW_VERSION', '1.35.1' ); +define( 'MW_VERSION', '1.35.2' ); # Obsolete aliases |