I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and 1.43.1!
These releases serve as security and maintenance releases for these branches. Apologies for this release being late, it was due in the last week of March. Unfortunately, due to the onongoing events of https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of_account_compromises, that took priority in terms of resources. The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible. As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0 and 8.1 may have been backported to applicable releases. If you find issues that haven't been backported, please report these too, referring to the relevant supported release. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in December 2024. MediaWiki 1.39 (old LTS) becomes EOL in November 2025. MediaWiki 1.43 becomes EOL in June 2025. It is strongly recommended to upgrade as appropriate to either 1.42, which will be supported until June 2025, or ideally to 1.43 (the next LTS after 1.39), which will be supported until December 2027. == Security fixes == * (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert action. * (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager: Differentiate between cascading protection of file content and file pages. * (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. * (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack enabled by Unicode normalization in Action API. * (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in HTMLMultiSelectField when sections are used. * (T389235 CVE-2025-32700) SECURITY: AbuseFilter log interfaces expose global private and hidden filters when central DB is not available. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T24521 * https://phabricator.wikimedia.org/T62109 * https://phabricator.wikimedia.org/T140010 * https://phabricator.wikimedia.org/T304474 * https://phabricator.wikimedia.org/T358689 * https://phabricator.wikimedia.org/T385958 * https://phabricator.wikimedia.org/T387130 * https://phabricator.wikimedia.org/T389235 == Release notes == Full release notes for 1.39.12: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 https://www.mediawiki.org/wiki/Release_notes/1.39 Full release notes for 1.42.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42 https://www.mediawiki.org/wiki/Release_notes/1.42 Full release notes for 1.43.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 https://www.mediawiki.org/wiki/Release_notes/1.43 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip Patch to previous version (1.39.11): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip Patch to previous version (1.42.4): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip Patch to previous version (1.43.0): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
