2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

December

List overview
Download

MediaWiki-announce September 2024

mediawiki-announce@lists.wikimedia.org

1 participants
2 discussions

Start a nNew thread

Security and maintenance release: 1.39.9 / 1.41.3 / 1.42.2
by Sam Reed 30 Sep '24

30 Sep '24

I would like to announce the release of MediaWiki 1.39.9, 1.41.3 and 1.42.2! These releases also serve as a maintenance release for these branches. Apologies for the missing subject on the pre-announce email sent last week. The tarballs have already been uploaded as of this email, and the git tags have been pushed. Unfortunately at the time of finalising this release, the CVE has not been assigned a tracking number by MITRE. To get these releases out as detailed in the pre-release announcement, they are therefore documented as "CVE-2024-PENDING" here and in the commit messages of the commits that will be pushed. The related tasks will be updated in retrospect when the CVEs are issued, and we will also amend the RELEASE-NOTES files. They will then be retrospectively correctly documented in the next releases, and in HISTORY in the master branch of MediaWiki core. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/ and https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant work boards. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, and MediaWiki 1.40 became EOL in June 2024. It is strongly recommended to upgrade to either 1.39 (the next LTS after 1.35), which will be supported until November 2025, 1.41, which will be supported until December 2024, or 1.42, which will be supported until June 2025. It is noted that this issue fixed in AbuseFilter is replicable back to at least 1.19, if not before (though AbuseFilter was not bundled till 1.38). == Security fixes == * (T372998, CVE-2024-PENDING) SECURITY: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T372998 == Release notes == Full release notes for 1.39.9: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.39 Full release notes for 1.41.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_41/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.41 Full release notes for 1.42.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.42 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.zip Patch to previous version (1.39.8): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.tar.gz.… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.tar.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.tar.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.zip Patch to previous version (1.41.2): https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.tar.gz.… https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.zip.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.zip.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.zip Patch to previous version (1.42.1): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.tar.gz.… https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 0

(no subject)
by Sam Reed 27 Sep '24

27 Sep '24

Hi all, On Monday we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.39.9 - 1.41.3 - 1.42.2 This will resolve one security issue in a bundled extension, along with bug fixes included for maintenance reasons. This security issue affects many unsupported versions of MediaWiki. This release may or may not be made with a CVE number formally attached, due to the recent delays in receiving them from MITRE. We will make the fixes available in the respective release branches and master in git. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, and MediaWiki 1.40 became EOL in June 2024. It is strongly recommended to upgrade to either 1.39 (the next LTS after 1.35), which will be supported until November 2025, 1.41, which will be supported until December 2024, or 1.42, which will be supported until June 2025. [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0