[00:18:52] [1/21] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/BNKJARHTTLU7VIW7UTT3MCHBNDMTU5IU/ [00:18:52] [2/21] Upcoming Codex 2.0 release [00:18:52] [3/21] Anne Tomasevich @ 8 Apr 2025 9:42 p.m. [00:18:53] [4/21] The Design System Team (DST)[0] is preparing to release the next major version of Codex, the design system for Wikimedia. [...] expanding the toolkit with [...] new components[1], tokens[2] and icons[3], introducing alternative color modes[4], adding a proper i18n system[5], refactoring components to be compatible with native browser validation[6], supporting the creation of a PHP i [00:18:53] [5/21] mplementation of the component library[7], refreshing the documentation, and (finally) getting a unique logo. With the upcoming introduction of a revised typography scale and customizable font modes[8] along with a handful of other breaking changes, DST has determined this to be an appropriate time for another major version release. [00:18:53] [6/21] [...] [00:18:54] [7/21] v2.0.0-rc.1 will be released on 29 April 2025 [...] [00:18:54] [8/21] v2.0.0 will be released on 13 May 2025 [...] [00:18:54] [9/21] [...] [00:18:55] [10/21] Codex 2.0 will include a number of breaking changes [..] detailed [...] at https://www.mediawiki.org/wiki/Codex/Release_Timeline/2.0#Breaking_changes. [00:18:55] [11/21] [...] [00:18:55] [12/21] [0] https://www.mediawiki.org/wiki/Design_System_Team [00:18:56] [13/21] [1] https://doc.wikimedia.org/codex/latest/components/overview.html [00:18:56] [14/21] [2] https://doc.wikimedia.org/codex/latest/design-tokens/overview.html [00:18:57] [15/21] [3] https://doc.wikimedia.org/codex/latest/icons/overview.html [00:18:57] [16/21] [4] https://doc.wikimedia.org/codex/latest/using-codex/adrs/08-adr-color-modes.html [00:18:58] [17/21] [5] https://doc.wikimedia.org/codex/latest/using-codex/adrs/10-adr-i18n-for-common-strings.html [00:18:58] [18/21] [6] https://doc.wikimedia.org/codex/latest/using-codex/adrs/12-adr-native-constraint-validation.html [00:18:59] [19/21] [7] https://doc.wikimedia.org/codex/latest/using-codex/adrs/11-adr-codex-php.html [00:18:59] [20/21] [8] https://doc.wikimedia.org/codex/latest/using-codex/adrs/13-adr-font-modes.html [00:19:00] [21/21] [Truncated due to discord limits. hyperkitty link has full details] [00:19:00] [1/24] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/ [00:19:01] [2/24] Security and maintenance release: 1.39.12 / 1.42.6 / 1.43.1 [00:19:01] [3/24] Sam Reed @ 10 Apr 2025 11:23 p.m. [00:19:02] [4/24] I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and 1.43.1! [00:19:02] [5/24] These releases serve as security and maintenance releases for these branches. [00:19:03] [6/24] Apologies for this release being late, it was due in the last week of March. Unfortunately, due to the ongoing events of https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of_account_compromises, that took priority in terms of resources. [00:19:03] [7/24] [...] [00:19:04] [8/24] It is strongly recommended to upgrade as appropriate to either 1.42, which will be supported until June 2025, or ideally to 1.43 (the next LTS after 1.39), which will be supported until December 2027. [00:19:04] [9/24] == Security fixes == [00:19:05] [10/24] (T304474, CVE-2025-32696) Apply proper restrictions on file revert action. [00:19:05] [11/24] (T24521, T62109, T140010, CVE-2025-32697) PermissionManager: Differentiate between cascading protection of file content and file pages. [00:19:06] [12/24] (T385958, CVE-2025-32698) LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. [00:19:06] [13/24] (T387130, CVE-2025-32699) Potential javascript injection attack enabled by Unicode normalization in Action API. [00:19:07] [14/24] (T358689, CVE-2025-3469) i18n XSS vulnerability in HTMLMultiSelectField when sections are used. [00:19:07] [15/24] (T389235, CVE-2025-32700) AbuseFilter log interfaces expose global private and hidden filters when central DB is not available. [00:19:08] [16/24] == Links to all mentioned tasks == [00:19:08] [17/24] [...] [00:19:09] [18/24] == Release notes == [00:19:09] [19/24] [[[ [00:19:10] [20/24] https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 [00:19:10] [21/24] https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42 [00:19:11] [22/24] https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 [00:19:11] [23/24] ]]] [00:19:12] [24/24] [Truncated and heavily modified due to discord limits. hyperkitty link has full details] [00:19:12] [1/24] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/ [00:19:13] [2/24] MediaWiki Extensions and Skins Security Release Supplement (1.39.12/1.42.6/1.43.1) [00:19:13] [3/24] Scott Bassett @ 11 Apr 2025 10:47 p.m. [00:19:14] [4/24] Greetings- [00:19:14] [5/24] [...] [00:19:15] [6/24] With the security/maintenance release of MediaWiki 1.39.12/1.42.6/1.43.1, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: [00:19:15] [7/24] T383472 - XSSes in Extension:SimpleCalendar [00:19:16] [8/24] T384269 - XSSes and potential RCE in Special:VersionCompare [00:19:16] [9/24] T384244 - GrowthExperiments Saving the right content to MediaWiki:GrowthMentors.json can take down the site [00:19:17] [10/24] T366402 - Cross-origin data leak in MobileFrontend via lazy load images [00:19:17] [11/24] T385935 - Evil regex used to process user-provided data in VisualData [00:19:18] [12/24] T386175 - FeedUtils HTML injection in feed output from i18n message [00:19:18] [13/24] T386337 - System message XSS in HTMLTags [00:19:19] [14/24] T386908 - XSSes in Extension:ConfirmAccount [00:19:19] [15/24] T386887 - IP and user agent leaks in Extension:Tabs [00:19:20] [16/24] T386963 - i18n XSS vulnerability in message GrowthExperiments [00:19:20] [17/24] T336113 - Revoking authorization of OAuth2 consumer does not invalidate refresh tokens [00:19:21] [18/24] T387691 - WikibaseMediaInfo Wikitext stored XSS on filepages due to dangerous WBMI serialization [00:19:21] [19/24] T389590 - XSSes in AJAXPoll [00:19:22] [20/24] T389369 - Wikibase CommonsInlineImageFormatter: i18n XSS [00:19:22] [21/24] The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch as soon as possible. [...] If you have any additional questions or concerns regarding this update, please feel free to contact security@wikimedia.org or file a security task within Phabricator [3]. [00:19:23] [22/24] [1] https://phabricator.wikimedia.org/T382326 [00:19:23] [23/24] [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [00:19:24] [24/24] [Truncated and heavily modified due to discord limits. hyperkitty link has full details] [00:20:12] --- Seem to have missed this, but this was posted a few days ago --- [00:38:10] Did anyone do this yet by chance? [00:54:13] ah, yeah ^^; [00:54:15] dunno who tbh... [01:18:35] [1/3] these edits on [[Finance]] are broken and give an exception when accessing them or their diffs; `MediaWiki\Revision\RevisionAccessException` [01:18:35] [2/3] https://meta.miraheze.org/wiki/Finance?oldid=396489 [01:18:36] [3/3] https://cdn.discordapp.com/attachments/1006789349498699827/1362598151898267818/image.png?ex=6802f9eb&is=6801a86b&hm=313c117d79fc60b8427d0f13c7e590b974cbc9b7d6d11a2b3ba2509260e3d63d& [01:18:36]

[01:18:55] presumably cos of the weird wikipedia thing [01:21:05] how are there imported edits within the edit history [01:21:17] didn't know that is possible [01:21:19] on a finance page too [01:22:01] and the edit summary is in dutch but from a user who I don't think speaks dutch [01:22:11] i feel like the db bugged or sth [01:32:43] [1/4] just tried voting in the election and it gave me [01:32:43] [2/4] ``` [01:32:44] [3/4] [a660b3502841e63be4ce8a2a] 2025-04-18 01:32:19: Fatal exception of type "Wikimedia\Rdbms\DBQueryError" [01:32:44] [4/4] ``` [02:43:11] [1/3] A user has a problem with Scribunto on his wiki [02:43:11] [2/3] https://mariebyrdwiki.miraheze.org/wiki/Module:Documentation [02:43:12] [3/3] Scribunto is active, the Page information says it is scribunto, but the modules are all not recognised as such. [02:44:05] See also his request for help https://meta.miraheze.org/wiki/Community_portal#Problem_with_wiki [02:46:14] Can someone help? [02:54:06] purged the page, it now works lol [02:57:54] this now works [02:58:11] not quite sure what the problem is, apart from missing modules [02:59:01] Weird. [03:00:08] https://mariebyrdwiki.miraheze.org/wiki/Module:Election_results [03:00:18] Purging doesn't work? [03:02:42] https://cdn.discordapp.com/attachments/1006789349498699827/1362624353249792190/image.png?ex=68031252&is=6801c0d2&hm=d938ded7f6efb42048b5cedc8077375b195d23aae26c0270d6f145bfcdd944ea& [03:02:50] They still show as [03:02:59] err [03:03:04] we don't have a Module:Political party [03:03:27] I know [03:03:35] That's not the problem [03:03:51] https://mariebyrdwiki.miraheze.org/wiki/Module:Documentation [03:03:55] This is [03:05:59] All Modules look like that [03:21:05] no syntax highlighting? [03:22:19] Ah, could be. :ThinkerMH: [03:22:28] er [03:22:33] i'm asking if that's the symptom? [03:22:56] i mean, it looks just like any other module from a quick skim? [03:23:03] it has the scribunto doc thing as well [03:25:42] well okay, i have no idea what https://mariebyrdwiki.miraheze.org/wiki/Module:InfoboxImage is meant to be [03:26:35] https://en.wikipedia.org/wiki/Module:InfoboxImage [03:27:08] It is not activated, so might be the issue [03:27:15] ah [03:27:22] shouldn't be imo [03:27:31] but that's done by Extension:CodeEditor if you're intereste [03:27:35] It is on mine [03:27:50] shouldn't be an issue i mean ^^; [03:28:09] no idea what happened to the start and end of the module on their wiki though :p [03:29:04] me neither. [03:33:33] I need to get to bed as it is past 5.30 am 😴 [03:33:53] mood [03:33:56] I'll come back to that code editor [03:34:01] someday [06:40:48] I did it the second I merged the PR lol [09:54:50] Can someone mergee these please? https://github.com/miraheze/mw-config/pull/5911 and https://github.com/miraheze/mw-config/pull/5909 please. [10:27:38] I merged but I'll deploy when I wake up since it's 4:30AM unless someone else wants to. [10:29:01] Alrighty, thanks. [10:40:38] Please don't leave things underplayed [10:42:13] Its fine to be undeployed for a little bit just not days at a time IMO. I have a lot of things to deploy so I want to do them together is why I didn't jump on just to deploy that one right now. [10:42:33] I'd far rather a blanket ban on undeployed changes [10:43:19] It's on my to do list to track deploy status of things and alert if it's inconsistent [10:45:04] For more then a few hours I dont want to require it be deployed immediately because Id rather batched deployes sometimes. [10:45:29] Then they should be merged together [10:46:24] There are cli tools for batch merging [10:47:07] Extensions im fine with [10:47:13] But config there is no reason to leave undeployed [10:47:48] I can write a draft policy later