I would like to announce the release of MediaWiki 1.39.16, 1.43.6, 1.44.3 and 1.45.1!
These releases serve as security and maintenance releases for these branches. The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and fixes will be back-ported when possible. If you find issues that haven't been backported, please report these too, referring to the relevant supported release. PHP 8.x workboards: * https://phabricator.wikimedia.org/tag/php_8.0_support/ * https://phabricator.wikimedia.org/tag/php_8.1_support/ * https://phabricator.wikimedia.org/tag/php_8.2_support/ * https://phabricator.wikimedia.org/tag/php_8.3_support/ * https://phabricator.wikimedia.org/tag/php_8.4_support/ * https://phabricator.wikimedia.org/tag/php_8.5_support/ As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in December 2024 and MediaWiki 1.42 became EOL at the end of June 2025. MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025, later this month. It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39), which will be supported until December 2027. A formal EOL email for MediaWiki 1.39 will come later this month. This is because as per our support policy, it is to be supported until the end of the month, but we are not expecting any further changes to be made to the branch. For T401987/T401995, when using format=xml with the api, the xslt feature has been disabled by default for all installations. If for some reason you need it (modern browsers won't likely load the stylesheets anyway), you can turn it back on again by setting `$wgEnableUnsafeXsltOption = true;` in LocalSettings.php, but this functionality will be removed in 1.46, so you should migrate any usages ahead of this removal occuring. == Security fixes == * (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by default. * (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in Special:ApiSandbox. * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment links. * (T405859, CVE-2025-67476) SECURITY: Do not use importers IP in case of external rev author. * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail encoded-words. * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide underscore in data-* attribute names. * (T401053, CVE-2025-67480) SECURITY: Check read permissions in ApiQueryRevisionsBase. * (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape 'comma-separator' between multiple protection levels. * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side messages (jqueryMsg). * (T408135, CVE-2025-67482) SECURITY: Lua segfault in unpack(). == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T251032 * https://phabricator.wikimedia.org/T385403 * https://phabricator.wikimedia.org/T401053 * https://phabricator.wikimedia.org/T401987 * https://phabricator.wikimedia.org/T401995 * https://phabricator.wikimedia.org/T405859 * https://phabricator.wikimedia.org/T406639 * https://phabricator.wikimedia.org/T406664 * https://phabricator.wikimedia.org/T407131 * https://phabricator.wikimedia.org/T408135 * https://phabricator.wikimedia.org/T409226 == Release notes == Full release notes for 1.39.16: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 https://www.mediawiki.org/wiki/Release_notes/1.39 Full release notes for 1.43.6: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 https://www.mediawiki.org/wiki/Release_notes/1.43 Full release notes for 1.44.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44 https://www.mediawiki.org/wiki/Release_notes/1.44 Full release notes for 1.45.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45 https://www.mediawiki.org/wiki/Release_notes/1.45 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip Patch to previous version (1.39.15): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip Patch to previous version (1.43.5): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip Patch to previous version (1.44.2): https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip Patch to previous version (1.45.0): https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
