MediaWiki 1.32 has been officially released. Below is a highlight of some of the release notes; you can view the full list here.
A new "Interface administrators" group was added, which has the ability to edit sitewide CSS/JS and the CSS/JS of other users. By default, no other group (not even "Administrators") has this capability anymore.
We recommend that you do not grant this group to all of your existing administrators, instead only granting it to those who will be responsible for maintaining CSS/JS pages on the wiki. This increases your site's security in the event that an administrator account is compromised.
The old editing toolbar has been removed (see image below if you aren't sure what toolbar this is). Use an extension such as WikiEditor, which is bundled with the tarball release, instead to provide an editing toolbar. If your wiki has customizations to add additional buttons to this toolbar, work on a migration plan to add them to the WikiEditor toolbar instead.
(Image from Wikimedia Commons)
The MediaWiki API (api.php) is now unconditionally enabled and can no longer be disabled.
A cookie can now be set when an IP user is blocked to track that user if they move to a new IP address. This feature is disabled by default but can be enabled by setting $wgCookieSetOnIpBlock = true; in your LocalSettings.php.
The on-wiki external image whitelist (MediaWiki:External image whitelist) is now disabled by default. If you were making use of this feature, set $wgEnableImageWhitelist = true; in your LocalSettings.php. This feature allowed for allowing embedding of external images ("hotlinking") from domains that wiki administrators specifically allow.
Hotlinked images do not feature any controls such as resizing or adding captions, and leak your visitor's IP addresses to the external source. Furthermore, there is no guarantee that the image will remain available in the future, or that it will not be changed to something else. As such, we recommend that you always upload images locally if possible and do not use this feature.
The Watchlist will now show 7 days of changes by default, up from 3.
When upgrading MediaWiki versions, it is always important to take a backup of both your files as well as your database, as upgrades cannot be "rolled back" once performed. It is recommended to unpack the new files into a new, empty directory and then move over needed files (LocalSettings.php, images, extensions, skins) rather than unpacking the new files directly over the old ones. Unpacking over the old ones could cause files that were removed in 1.32 to remain in your directory tree, which could cause PHP errors down the line or cause security issues as those files will no longer be updated. The database changes in this release could take a while to run on large wikis.
MediaWiki 1.31.0 has now been officially released. This is a Long Term Support (LTS) release, meaning it will receive bugfixes and security updates for a period of 3 years (until June 2021). Below is a highlight of some of the release notes. To view the full release notes, click here.
New System Requirements
MediaWiki 1.31 now requires PHP 7.0 or higher. HHVM 3.18.5+ is still supported, but any users still on HHVM should look into migrating into PHP 7, as HHVM will no longer be supported in the future as Facebook will be dropping PHP support from the product.
More Bundled Extensions
The following extensions are now bundled with the MediaWiki download:
CodeEditor -- provides a more friendly editing UI when editing CSS and JS pages
MultimediaViewer -- opens clicked images in a lightbox instead of leading directly to the image page
OATHAuth -- provides 2-factor authentication (2FA) support using apps such as Google Authenticator
Replace Text -- provides a special page for admins to perform replacements across multiple pages of the wiki, for both page content and page titles
When upgrading MediaWiki versions, it is always important to take a backup of both your files as well as your database, as upgrades cannot be "rolled back" once performed. It is recommended to unpack the new files into a new, empty directory and then move over needed files (LocalSettings.php, images, extensions, skins) rather than unpacking the new files directly over the old ones. Unpacking over the old ones could cause files that were removed in 1.31 to remain in your directory tree, which could cause PHP errors down the line or cause security issues as those files will no longer be updated. The database changes in this release could take a while to run on large wikis.
From Sam Reed on MediaWiki-announce. This is a security release. It is recommended you take action immediately in order to patch your MediaWiki installations.
This security release includes a fix for a Remote Code Execution (RCE) vulnerability present in some configurations of MediaWiki. Not everyone is impacted. To test if you are impacted by this vulnerability, after following all patch instructions in the email (including running the "composer update --no-dev" command if you are installing MediaWiki from git instead of tarball), look through your server access logs for hits to a file named "eval-stdin.php". If you see this entry in your access logs, your server may have been compromised, take additional steps to investigate and secure the server. If you need assistance in how to proceed with this, or have any difficulty checking or validating if you were impacted, post in our support forum.
MediaWiki Users aims to be the premiere experience for obtaining support with the MediaWiki software. We have free community forums where you can ask questions from knowledgeable peers as well as a place where you can request or advertise for-pay MediaWiki services.
MediaWiki Users is ad-free and supported by selling its own services for MediaWiki. Creating an account is free and easy, so join today!