MediaWiki Security und Correction Update 1.31.10 und 1.34.4

Die Entwickler des Wiki, MediaWiki, haben vor wenigen Tagen die Version 1.31.9 und 1.34.3 veröffentlicht. Diese schließen Sicherheitslücken und verbessern die Stabilität von MediaWiki. Leider enthielten sie jedoch einen Fehler in den Backports, sodass kurz darauf die Versionen 1.31.10 und 1.34.4, veröffentlicht wurden.

MediaWiki 1.31.9

• In the web installer, use secure session cookies.
• (T257207) shell: Expand documentation in firejail.profile.
• Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We recommend this be set to true on pure HTTPS wikis.
• Added $wgCookieSameSite, which allows login cookies to be sent with SameSite=None. This is required for cross-site CentralAuth autologin after Chrome 84.
• Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to SameSite=None cookies for browsers which implemented an incompatible draft version of the specification.
• (T191537) Disable WebResponse setters for post-send processing.
• (T198525) WebReponse: Use values altered in ‚WebResponseSetCookie‘ hook.
• Fix runBatchedQuery.php for no result from select.
• (T130906) Add Edge to MediaWiki:Clearyourcache.
• Use IPset in MWRestrictions::checkIP.
• (T260031) Add application/font-sfnt to MimeMap for ttf files.
• shell: Make ->restrict( RESTRICT_NONE ) actually work.
• (T183759) Fixes shell edge-cases in Windows.
• (T258390) Add CentralIdLookup::factoryNonLocal().
• (T246991) User: Fix pingLimiter() to use makeGlobalKey() for global rate limits.
• (T251661, CVE-2020-25827) SECURITY: User::pingLimiter: add user-global rate limit type.
• (T246991) User: enforce pingLimiter() expiry time.
• (T260232) don’t include null page ids in query list for category dumps.
• (T251506) Sanitizer: Truncate IDs to a reasonable length.
• Explicitly wrap some XML calls in libxml_disable_entity_loader().
• (T263455 T247285) Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php.
• (T232568, CVE-2020-25813) SECURITY: Special:UserRights exposes the existence of hidden users.
• (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail’s –output functionality.
• (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and ’style‘ attribute.
• (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( … ).parse().
• (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
• (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.

MediaWiki 1.34.3

• In the web installer, use secure session cookies.
• Make UsersPager::requestedGroup public.
• (task T257407) Split patch-drop-user-fields.sql into patch per table.
• (task T257356) Split patch-drop-comment-fields.sql into patch per table.
• (task T257997) Undeprecate WebInstaller::getInfoBox().
• Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We recommend this be set to true on pure HTTPS wikis.
• Added $wgCookieSameSite, which allows login cookies to be sent with SameSite=None. This is required for cross-site CentralAuth autologin after Chrome 84.
• Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to SameSite=None cookies for browsers which implemented an incompatible draft version of the specification.
• (task T257207) shell: Expand documentation in firejail.profile.
• (task T246135) Give the „remember me“ checkbox a specific CSS class so skins like Minerva can only hide that checkbox.
• (task T256287) rdbms: improve DBConnRef domain selection exception message.
• (task T248191, task T259123) phpunit: Acknowledge known dberror from SpecialPageFatalTest.
• (task T256394, task T259123) Cleanup up excess commit() call in LocalRepoTest.
• Fix runBatchedQuery.php for no result from select.
• (task T130906) Add Edge to MediaWiki:Clearyourcache.
• (task T249521) reassignEdits: Update script to use User::newFromName for anon users.
• (task T172060) GlobalFunctions: Use php_uname instead of posix_uname.
• Use IPset in MWRestrictions::checkIP.
• (task T260031) Add application/font-sfnt to MimeMap for ttf files.
• shell: Make ->restrict( RESTRICT_NONE ) actually work.
• (task T183759) Fixes shell edge-cases in Windows.
• (task T258390) Add CentralIdLookup::factoryNonLocal().
• (task T246991) User: Fix pingLimiter() to use makeGlobalKey() for global rate limits.
• (task T232568, CVE-2020-25813) SECURITY: Special:UserRights exposes the existence of hidden users.
• (task T251661, CVE-2020-25827) SECURITY: User::pingLimiter: add user-global rate limit type.
• (task T246991) User: enforce pingLimiter() expiry time.
• (task T260232) don’t include null page ids in query list for category dumps.
• (task T251506) Sanitizer: Truncate IDs to a reasonable length.
• (task T262900) Fix failure of rebuildLocalisationCache.php due to a ResourceLoader hook.
• Explicitly wrap some XML calls in libxml_disable_entity_loader().
• (task T263455, task T247285) Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php.
• (task T232568, CVE-2020-25813) SECURITY: SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
• (task T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on Special:Contributions.
• (task T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within LogEventsList.
• (task T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail’s –output functionality.
• (task T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and ’style‘ attribute.
• (task T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in mw.message( … ).parse().
• (task T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct database.
• (task T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.