Hi all,

On Monday (2026-06-29) we will be issuing a security and maintenance
release to all supported branches of MediaWiki.

Due to the complexity of various patches that will be released as part of
this, they will be made public in Gerrit before the tarballs and git tags
are made.

We have therefore referenced mitigations for some high severity issues both
in the referenced tickets and below.

It is strongly recommended to apply the mitigations to your MediaWiki
installs ASAP, before the patches are released.

While Timeline/EasyTimeline[2] is *not* a MW Bundled extension, it is used
on Wikimedia wikis and is also widely used across the MediaWiki
installation ecosystem; it is therefore flagged for your attention due to
the issues found. If you do not have this extension installed, you do not
need to do anything for that mitigation.

The new releases will be:
- 1.43.9
- 1.44.6
- 1.45.4

These security issues will also be included in 1.46.0, which is due to be
released afterwards.

Security issues:

MediaWiki Core: https://phabricator.wikimedia.org/T422244 - RCE

Mitigation patch:
Making use of $wgRevokePermissions [4], the following lines can be added to
your LocalSettings.php; it will temporarily disable all importing and
therefore prevent malicious files being imported by any user:

  $wgRevokePermissions['*']['importupload'] = true;
  $wgRevokePermissions['*']['import'] = true;

You will want to remove these lines once you have applied the security
patches/upgraded to the latest point release versions. We recommend that
you restrict imports to trusted users.

Non-bundled extension security issues:

Timeline: https://phabricator.wikimedia.org/T426631 - RCE

A Remote Code Execution vulnerability exists in the perl script that
EasyTimeline executes to render the timelines.

If you run EasyTimeline in a similar fashion to Wikimedia Production, where
EasyTimeline’s perl scripts are executed in a remote shellbox (vm or
kubernetes), exposure is more limited.

Mitigation: Disable timeline (EasyTimeline) extension until patches are
released, especially if you do not run the execution in a remote shellbox.
Or if you have access to the security tasks, apply the patch from the task.

Timeline: https://phabricator.wikimedia.org/T427611 - Stored XSS in SVG
file output

It is possible to store an XSS in the SVG files generated by timeline.
These aren’t used by MediaWiki by default (though they may be used for RTL
timelines), but these files would still be hosted by your wiki, and could
be hot linked elsewhere.

Mitigation: Disable timeline (EasyTimeline) extension until patches are
released, especially if you do not run the execution in a remote shellbox.
Or if you have access to the security tasks, apply the patch from the task.

Appropriate CSP configuration can also help prevent XSS vectors such as
this.

—

This release will also resolve security issues in bundled extensions, along
with bug fixes included for maintenance reasons.

These security issues also affect many unsupported versions of MediaWiki.

We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.

A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.

As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki
1.42 became EOL in June 2025.

MediaWiki 1.44 becomes EOL at the end of July 2026.

MediaWiki 1.46 is due to be released following this security release.

More information on these timelines can be viewed on the version lifecycle
page at [1].

Thank you,

Wikimedia Foundation, Product Safety and Integrity
[email protected]

[1] https://www.mediawiki.org/wiki/Version_lifecycle
[2] https://www.mediawiki.org/wiki/Extension:EasyTimeline
[3] https://www.mediawiki.org/wiki/Manual:Security#File_permissions
[4] https://www.mediawiki.org/wiki/Manual:$wgRevokePermissions
_______________________________________________
Wikitech-l mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

Reply via email to