Hi Sam, It looks like Git tags have not yet been created for these new releases - are they coming?
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+refs On Wed, Dec 10, 2025 at 2:23 PM Sam Reed <[email protected]> wrote: > I would like to announce the release of MediaWiki 1.39.16, 1.43.6, 1.44.3 > and 1.45.1! > > These releases serve as security and maintenance releases for these > branches. > > The tarballs have already been uploaded as of this email, and the git tags > will be pushed shortly. > > A "MediaWiki Extensions Security Release Supplement" e-mail will follow > this one, covering security updates for non-bundled extensions. > > Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and > fixes will be back-ported when possible. If you find issues that haven't > been backported, please report these too, referring to the relevant > supported release. > > PHP 8.x workboards: > * https://phabricator.wikimedia.org/tag/php_8.0_support/ > * https://phabricator.wikimedia.org/tag/php_8.1_support/ > * https://phabricator.wikimedia.org/tag/php_8.2_support/ > * https://phabricator.wikimedia.org/tag/php_8.3_support/ > * https://phabricator.wikimedia.org/tag/php_8.4_support/ > * https://phabricator.wikimedia.org/tag/php_8.5_support/ > > As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, > MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in > December 2024 and MediaWiki 1.42 became EOL at the end of June 2025. > > MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025, > later this month. It is strongly recommended to upgrade to 1.43 (the next > LTS after 1.39), which will be supported until December 2027. > > A formal EOL email for MediaWiki 1.39 will come later this month. This is > because as per our support policy, it is to be supported until the end of > the month, but we are not expecting any further changes to be made to the > branch. > > For T401987/T401995, when using format=xml with the api, the xslt feature > has been disabled by default for all installations. If for some reason you > need it (modern browsers won't likely load the stylesheets anyway), you can > turn it back on again by setting `$wgEnableUnsafeXsltOption = true;` in > LocalSettings.php, but this functionality will be removed in 1.46, so you > should migrate any usages ahead of this removal occuring. > > == Security fixes == > > * (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by > default. > * (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in > Special:ApiSandbox. > * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in > autocomment links. > * (T405859, CVE-2025-67476) SECURITY: Do not use importers IP in case of > external rev author. > * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail > encoded-words. > * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and > wide underscore in data-* attribute names. > * (T401053, CVE-2025-67480) SECURITY: Check read permissions in > ApiQueryRevisionsBase. > * (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape > 'comma-separator' between multiple protection levels. > * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in > client-side messages (jqueryMsg). > * (T408135, CVE-2025-67482) SECURITY: Lua segfault in unpack(). > > == Links to all mentioned tasks == > * https://phabricator.wikimedia.org/T251032 > * https://phabricator.wikimedia.org/T385403 > * https://phabricator.wikimedia.org/T401053 > * https://phabricator.wikimedia.org/T401987 > * https://phabricator.wikimedia.org/T401995 > * https://phabricator.wikimedia.org/T405859 > * https://phabricator.wikimedia.org/T406639 > * https://phabricator.wikimedia.org/T406664 > * https://phabricator.wikimedia.org/T407131 > * https://phabricator.wikimedia.org/T408135 > * https://phabricator.wikimedia.org/T409226 > > == Release notes == > > Full release notes for 1.39.16: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 > https://www.mediawiki.org/wiki/Release_notes/1.39 > > Full release notes for 1.43.6: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 > https://www.mediawiki.org/wiki/Release_notes/1.43 > > Full release notes for 1.44.3: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44 > https://www.mediawiki.org/wiki/Release_notes/1.44 > > Full release notes for 1.45.1: > > https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45 > https://www.mediawiki.org/wiki/Release_notes/1.45 > > For information about how to upgrade, see > <https://www.mediawiki.org/wiki/Manual:Upgrading> > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip > > Patch to previous version (1.39.15): > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz.sig > > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip.sig > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip.sig > > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip > > Patch to previous version (1.43.5): > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip.sig > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip.sig > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip > > Patch to previous version (1.44.2): > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip.sig > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip.sig > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip > > Download without bundled extensions: > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip > > Patch to previous version (1.45.0): > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip > > GPG signatures: > > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip.sig > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip.sig > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz.sig > > https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip.sig > > Public keys: > https://www.mediawiki.org/keys/keys.html > _______________________________________________ > MediaWiki-l mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/ -- WikiWorks · MediaWiki Consulting · http://wikiworks.com
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
