MediaWiki 1.35.4
4 October 2021
MediaWiki version 1.35.4 is now available (security release).
Upgrading to MediaWiki 1.35.4
MediaWiki 1.35.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.35.4 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.35.4
Security
- CVE-2021-41798: XSS vulnerability in Special:Search.
- CVE-2021-41799: ApiQueryBacklinks can cause a full table scan.
- CVE-2021-41800: fix PoolCounter protection of Special:Contributions.
Bug Fixes
- Mark ApiClientLogin/ApiLogin as requiring write mode.
- Make postgres IRC channel point to libera.chat.
- ExtensionProcessor: Remove loaderScripts from extension.json schemas.
- Installer: Fix mediawiki-announce auto subscription code.
- FormatJson: Optimize encode() for supported PHP versions.
- renameRestrictions.php: Update protected_titles as well.
- $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types.
- resourceloader: Call getStyleFiles from FileModule::getFileHashes.
- parser: Avoid calling ParserOptions::getOption() too many times.