MediaWiki 1.36.3

15 December 2021

MediaWiki version 1.36.3 is now available (security release).

Upgrading to MediaWiki 1.36.3

What's New in MediaWiki 1.36.3

• CVE-2021-44854 SECURITY: Do not cache private wiki completion results.
  
• CVE-2021-44858 CVE-2021-44857 SECURITY: Fix permissions checks in undo actions.
  
• CVE-2021-45038 SECURITY: Fix permissions check in action=rollback.
  
• CVE-2021-44856 SECURITY: Fix use of EditFilterMergedContent hook when changing content model.
  
• SECURITY: Require 'read' right for most actions.
  

• mediawiki.page.ready: Introduce wikipage.indicators hook.
  
• Add symfony/polyfill-php80.
  
• IcuCollation: Add some more icu to unicode version mappings.
  
• ApiBase: Annotate deprecated constants individually.
  
• PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy.
  
• installer: Fix 5th param to sourceFile() in DatabaseUpdater.
  
• Always encode spaces in cookie values as "%20".
  
• Use LocalFile::getHookRunner instead of LocalFile::hookRunner.
  
• mediawiki.page.ready: Fire hook 'wikipage.indicators' with children.
  
• HistoryBlobStub: add getLocation() to get $mOldId.
  
• Fix checkStorage.php.
  
• checkStorage: pass no parameters to WikiRevision::getContent().
  
• Revert "Mark ApiClientLogin/ApiLogin as requiring write mode".
  
• JobQueueRedis: Replace deprecated zSize with zCard.
  
• NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser.
  
• Allow populateContentTables to continue when there are bad blobs.
  
• ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set.
  
• Update pear/mail_mime to 1.10.11.
  
• Update deprecated Guzzle Psr7 function calls.
  
• Follow-Up: I10fbd4b6a: Update @since tags as those were backported.
  
• Tweak error message for missing composer dependencies.
  
• Allow inserting new sections named '0'.
  
• nukeNS: don't run purgeRedundantText() after every change.
  
• installer: Fix Postgres mistakes in using changeField method.
  
• RollbackAction: fix missing pagetitle.