Hi, Git tags still have not been created for any of these security releases, as far as I know. Could someone please take care of this? Some people (including myself) need these tags in order to do an upgrade.
On Thu, Dec 11, 2025 at 8:49 AM Yaron Koren <[email protected]> wrote: > Hi Sam, > > It looks like Git tags have not yet been created for these new releases - > are they coming? > > https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+refs > > On Wed, Dec 10, 2025 at 2:23 PM Sam Reed <[email protected]> wrote: > >> I would like to announce the release of MediaWiki 1.39.16, 1.43.6, 1.44.3 >> and 1.45.1! >> >> These releases serve as security and maintenance releases for these >> branches. >> >> The tarballs have already been uploaded as of this email, and the git >> tags will be pushed shortly. >> >> A "MediaWiki Extensions Security Release Supplement" e-mail will follow >> this one, covering security updates for non-bundled extensions. >> >> Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and >> fixes will be back-ported when possible. If you find issues that haven't >> been backported, please report these too, referring to the relevant >> supported release. >> >> PHP 8.x workboards: >> * https://phabricator.wikimedia.org/tag/php_8.0_support/ >> * https://phabricator.wikimedia.org/tag/php_8.1_support/ >> * https://phabricator.wikimedia.org/tag/php_8.2_support/ >> * https://phabricator.wikimedia.org/tag/php_8.3_support/ >> * https://phabricator.wikimedia.org/tag/php_8.4_support/ >> * https://phabricator.wikimedia.org/tag/php_8.5_support/ >> >> As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, >> MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in >> December 2024 and MediaWiki 1.42 became EOL at the end of June 2025. >> >> MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025, >> later this month. It is strongly recommended to upgrade to 1.43 (the next >> LTS after 1.39), which will be supported until December 2027. >> >> A formal EOL email for MediaWiki 1.39 will come later this month. This is >> because as per our support policy, it is to be supported until the end of >> the month, but we are not expecting any further changes to be made to the >> branch. >> >> For T401987/T401995, when using format=xml with the api, the xslt feature >> has been disabled by default for all installations. If for some reason you >> need it (modern browsers won't likely load the stylesheets anyway), you can >> turn it back on again by setting `$wgEnableUnsafeXsltOption = true;` in >> LocalSettings.php, but this functionality will be removed in 1.46, so you >> should migrate any usages ahead of this removal occuring. >> >> == Security fixes == >> >> * (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by >> default. >> * (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in >> Special:ApiSandbox. >> * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in >> autocomment links. >> * (T405859, CVE-2025-67476) SECURITY: Do not use importers IP in case of >> external rev author. >> * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail >> encoded-words. >> * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and >> wide underscore in data-* attribute names. >> * (T401053, CVE-2025-67480) SECURITY: Check read permissions in >> ApiQueryRevisionsBase. >> * (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape >> 'comma-separator' between multiple protection levels. >> * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in >> client-side messages (jqueryMsg). >> * (T408135, CVE-2025-67482) SECURITY: Lua segfault in unpack(). >> >> == Links to all mentioned tasks == >> * https://phabricator.wikimedia.org/T251032 >> * https://phabricator.wikimedia.org/T385403 >> * https://phabricator.wikimedia.org/T401053 >> * https://phabricator.wikimedia.org/T401987 >> * https://phabricator.wikimedia.org/T401995 >> * https://phabricator.wikimedia.org/T405859 >> * https://phabricator.wikimedia.org/T406639 >> * https://phabricator.wikimedia.org/T406664 >> * https://phabricator.wikimedia.org/T407131 >> * https://phabricator.wikimedia.org/T408135 >> * https://phabricator.wikimedia.org/T409226 >> >> == Release notes == >> >> Full release notes for 1.39.16: >> >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 >> https://www.mediawiki.org/wiki/Release_notes/1.39 >> >> Full release notes for 1.43.6: >> >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 >> https://www.mediawiki.org/wiki/Release_notes/1.43 >> >> Full release notes for 1.44.3: >> >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44 >> https://www.mediawiki.org/wiki/Release_notes/1.44 >> >> Full release notes for 1.45.1: >> >> https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45 >> https://www.mediawiki.org/wiki/Release_notes/1.45 >> >> For information about how to upgrade, see >> <https://www.mediawiki.org/wiki/Manual:Upgrading> >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip >> >> Download without bundled extensions: >> >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip >> >> Patch to previous version (1.39.15): >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip >> >> GPG signatures: >> >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.tar.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.16.zip.sig >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.zip.sig >> >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.16.patch.zip.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip >> >> Patch to previous version (1.43.5): >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip >> >> GPG signatures: >> >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.tar.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.6.zip.sig >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.zip.sig >> >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.6.patch.zip.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip >> >> Patch to previous version (1.44.2): >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip >> >> GPG signatures: >> >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.tar.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.3.zip.sig >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.zip.sig >> >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.3.patch.zip.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> >> ********************************************************************** >> Download: >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip >> >> Download without bundled extensions: >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip >> >> Patch to previous version (1.45.0): >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip >> >> GPG signatures: >> >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.tar.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.1.zip.sig >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.tar.gz.sig >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.zip.sig >> >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.gz.sig >> >> https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.1.patch.zip.sig >> >> Public keys: >> https://www.mediawiki.org/keys/keys.html >> _______________________________________________ >> MediaWiki-l mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/ > > > > -- > WikiWorks · MediaWiki Consulting · http://wikiworks.com > -- WikiWorks · MediaWiki Consulting · http://wikiworks.com
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
