I would like to announce the release of MediaWiki 1.39.14, 1.43.4 and 1.44.1!
These releases serve as security and maintenance releases for these branches. The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible. As part of the Wikimedia migration to PHP 8.1 and moving towards PHP 8.3, bug fixes affecting PHP 8.0-8.3 may have been backported to applicable releases. If you find issues that haven't been backported, please report these too, referring to the relevant supported release. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in December 2024 and MediaWiki 1.42 became EOL at the end of June 2025. MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025. It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39), which will be supported until December 2027. == Security fixes == * (T387478, CVE-2025-61634) SECURITY: REST: Set cache-control value of max-age=60 for redirects. * (T394396, CVE-2025-61636) SECURITY: Escape rawElement $content. * (T394856, CVE-2025-61637) SECURITY: Escape three system messages used by live preview. * (T401099, CVE-2025-61638) SECURITY: Sanitize data- attributes. * (T280413, CVE-2025-61639) SECURITY: Use ManualLogEntry::getDeleted in ::getRecentChange. * (T402075, CVE-2025-61640) SECURITY: Parse messages instead of inserting them as HTML. * (T298690, CVE-2025-61641) SECURITY: api: Disable maxsize in QueryAllPages in miser mode. * (T402313, CVE-2025-61642) SECURITY: Escape submit button label for Codex-based HTMLForms. * (T403757, CVE-2025-61643) SECURITY: Don't send suppressed recent changes to RCFeeds. * (T403761, CVE-2025-61645) SECURITY: Fix i18n XSS in CodexTablePager. * (T398706, CVE-2025-61646) SECURITY: Prevent leaking hidden usernames in Watchlist/RecentChanges. CheckUser * (T403408, CVE-2025-61651) SECURITY: fix XSS in tempuser-expired-link-tooltip message. * (T404805, CVE-2025-61658) SECURITY: Add config variable to exclude from GlobalContributions. * (T402077, CVE-2025-61648) SECURITY: Escape system messages before inserting them as HTML. ConfirmEdit * (T355073, CVE-2025-61635) SECURITY: ApiFancyCaptchaReload: Reuse badcaptcha rate limit. DiscussionTools * (T397580, CVE-2025-61652) SECURITY: In API check user read permissions before showing PageInfo. * (T364910, T396248, CVE-2025-11175) SECURITY: DiscussionTools should use better regex. OATHAuth * (T401862, T402094, CVE-2025-11173) SECURITY: Reauth for enabling 2FA can be bypassed by submitting a form. * (T396951) FreeOTP refuses to add MediaWiki's 2FA details, because "token is unsafe". TextExtracts * (T397577, CVE-2025-61653) SECURITY: Add authorizeRead check for extracts endpoint. Thanks * (T397497, CVE-2025-61654) SECURITY: Exclude deleted entries when counting thanks. VisualEditor * (T395858, CVE-2025-61655) SECURITY: Properly escape and parse system messages. * (T397232, CVE-2025-61656) SECURITY: Sanitize attributes unwrapped from data-ve-attributes. Vector * (T398636, CVE-2025-61657) SECURITY: Insert sticky header labels as text instead of HTML. Parsoid * (T401099, CVE-2025-61638) SECURITY: Sanitizer::validateAttributes data-XSS. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T280413 * https://phabricator.wikimedia.org/T298690 * https://phabricator.wikimedia.org/T355073 * https://phabricator.wikimedia.org/T364910 * https://phabricator.wikimedia.org/T387478 * https://phabricator.wikimedia.org/T394396 * https://phabricator.wikimedia.org/T394856 * https://phabricator.wikimedia.org/T395858 * https://phabricator.wikimedia.org/T396951 * https://phabricator.wikimedia.org/T397232 * https://phabricator.wikimedia.org/T397497 * https://phabricator.wikimedia.org/T397577 * https://phabricator.wikimedia.org/T397580 * https://phabricator.wikimedia.org/T398636 * https://phabricator.wikimedia.org/T398706 * https://phabricator.wikimedia.org/T401099 * https://phabricator.wikimedia.org/T401862 * https://phabricator.wikimedia.org/T402075 * https://phabricator.wikimedia.org/T402077 * https://phabricator.wikimedia.org/T402313 * https://phabricator.wikimedia.org/T403408 * https://phabricator.wikimedia.org/T403757 * https://phabricator.wikimedia.org/T403761 * https://phabricator.wikimedia.org/T404805 == Release notes == Full release notes for 1.39.14: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39 https://www.mediawiki.org/wiki/Release_notes/1.39 Full release notes for 1.43.4: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.43 https://www.mediawiki.org/wiki/Release_notes/1.43 Full release notes for 1.44.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.44 https://www.mediawiki.org/wiki/Release_notes/1.44 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.14.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.14.zip Patch to previous version (1.39.13): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.14.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.14.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.14.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.4.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.4.zip Patch to previous version (1.43.3): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.4.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.4.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.1.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.1.zip Patch to previous version (1.44.0): https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.patch.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.1.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html
_______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
