Hi all, On Monday (2026-06-29) we will be issuing a security and maintenance release to all supported branches of MediaWiki.
Due to the complexity of various patches that will be released as part of this, they will be made public in Gerrit before the tarballs and git tags are made. We have therefore referenced mitigations for some high severity issues both in the referenced tickets and below. It is strongly recommended to apply the mitigations to your MediaWiki installs ASAP, before the patches are released. While Timeline/EasyTimeline[2] is *not* a MW Bundled extension, it is used on Wikimedia wikis and is also widely used across the MediaWiki installation ecosystem; it is therefore flagged for your attention due to the issues found. If you do not have this extension installed, you do not need to do anything for that mitigation. The new releases will be: - 1.43.9 - 1.44.6 - 1.45.4 These security issues will also be included in 1.46.0, which is due to be released afterwards. Security issues: MediaWiki Core: https://phabricator.wikimedia.org/T422244 - RCE Mitigation patch: Making use of $wgRevokePermissions [4], the following lines can be added to your LocalSettings.php; it will temporarily disable all importing and therefore prevent malicious files being imported by any user: $wgRevokePermissions['*']['importupload'] = true; $wgRevokePermissions['*']['import'] = true; You will want to remove these lines once you have applied the security patches/upgraded to the latest point release versions. We recommend that you restrict imports to trusted users. Non-bundled extension security issues: Timeline: https://phabricator.wikimedia.org/T426631 - RCE A Remote Code Execution vulnerability exists in the perl script that EasyTimeline executes to render the timelines. If you run EasyTimeline in a similar fashion to Wikimedia Production, where EasyTimeline’s perl scripts are executed in a remote shellbox (vm or kubernetes), exposure is more limited. Mitigation: Disable timeline (EasyTimeline) extension until patches are released, especially if you do not run the execution in a remote shellbox. Or if you have access to the security tasks, apply the patch from the task. Timeline: https://phabricator.wikimedia.org/T427611 - Stored XSS in SVG file output It is possible to store an XSS in the SVG files generated by timeline. These aren’t used by MediaWiki by default (though they may be used for RTL timelines), but these files would still be hosted by your wiki, and could be hot linked elsewhere. Mitigation: Disable timeline (EasyTimeline) extension until patches are released, especially if you do not run the execution in a remote shellbox. Or if you have access to the security tasks, apply the patch from the task. Appropriate CSP configuration can also help prevent XSS vectors such as this. — This release will also resolve security issues in bundled extensions, along with bug fixes included for maintenance reasons. These security issues also affect many unsupported versions of MediaWiki. We will make the fixes available in the respective release branches and master in git. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later. As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki 1.42 became EOL in June 2025. MediaWiki 1.44 becomes EOL at the end of July 2026. MediaWiki 1.46 is due to be released following this security release. More information on these timelines can be viewed on the version lifecycle page at [1]. Thank you, Wikimedia Foundation, Product Safety and Integrity [email protected] [1] https://www.mediawiki.org/wiki/Version_lifecycle [2] https://www.mediawiki.org/wiki/Extension:EasyTimeline [3] https://www.mediawiki.org/wiki/Manual:Security#File_permissions [4] https://www.mediawiki.org/wiki/Manual:$wgRevokePermissions
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
