MediaWiki 1.36.2
4 October 2021
MediaWiki version 1.36.2 is now available (security release).
Upgrading to MediaWiki 1.36.2
MediaWiki 1.36.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.36.2 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.36.2
Security
- CVE-2021-41798: XSS vulnerability in Special:Search.
- CVE-2021-41799: ApiQueryBacklinks can cause a full table scan.
- CVE-2021-41800: fix PoolCounter protection of Special:Contributions.
Bug fixes
- Don't access MWServices prematurely in Maintenence.php.
- Mark ApiClientLogin/ApiLogin as requiring write mode.
- Installer: Fix foundation.wikimedia.org link in config-pingback-help.
- Make postgres IRC channel point to libera.chat.
- composer.json: Promote and pin monolog/monolog to require from require-dev.
- JavaScriptMinifer: Recognize `...` as a single token.
- Update wikimedia/minify to 2.2.4.
- ExtensionProcessor: Remove loaderScripts from extension.json schemas.
- Installer: Fix mediawiki-announce auto subscription code.
- FormatJson: Optimize encode() for supported PHP versions.
- renameRestrictions.php: Update protected_titles as well.
- objectcache: Fix PHP warning for ReplicatedBagOStuff::setMulti.
- $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types.
- resourceloader: Call getStyleFiles from FileModule::getFileHashes.
- parser: Avoid calling ParserOptions::getOption() too many times.
- Unserialize objects in ParserCache->mExtensionData as objects.
- MysqlUpdater: Add updatelog entries for dropDefault.
- Fix $phase check in OutputHandler.
- The wikimedia/parsoid library has been upgraded from v0.13.0 to v0.13.1.