Hi all,
On Thursday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.35.12
- 1.39.5
- 1.40.1
This will resolve four security issues in MediaWiki core, two in a bundled
skin, along with bug fixes included for maintenance reasons. This includes
various patches for PHP 8.0, PHP 8.1 and PHP 8.2 support.
One issue in a bundled skin only affects MediaWiki 1.40 and master, the
other bundled skin issue affects MediaWiki 1.39, 1.40 and master.
A partial fix for one of the skin issues is already merged into the
relevant release branch.
One more minor security fix was merged in public after the releases of
1.35.11/1.38.7/1.39.4/1.40.0.
We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.
As a reminder, when 1.35 was released, it was originally due to become end
of life (EOL) at the end of September 2023. Due to 1.39 being released late
(November 2022), and to honor the commitment to the 1 year overlap of
MediaWiki LTS releases, this formal EOL process is being delayed till at
least the end of November 2023.
In practice, this may become sometime in December 2023, to coincide with
the security and maintenance release for that quarter. A formal EOL
announcement for 1.35 will come in advance of that point.
It is therefore expected that 1.35.13 in December 2023 will become the
final release for the 1.35 branch.
It is noted that support and CI for 1.35 is becoming more limited;
backports are becoming best-effort. Browser testing has been dropped for
1.35 in Wikimedia CI, due to the difficulties to support this.
It is strongly recommended to upgrade to 1.39 (the next LTS after 1.35),
which will be supported until November 2025, or 1.40, which will be
supported until June 2024.
[1] https://www.mediawiki.org/wiki/Version_lifecycle