I am happy to announce the availability of the general release of MediaWiki
1.44!
Tarballs have already been uploaded, and the git tag has been pushed.
Thanks to everyone who helped out with this release, especially thanks to
those who tested out the release candidate and provided feedback, as well
as the developers who worked on fixes for the 1.44 final release. To see
what's changed in 1.44, see the release notes file.[0] If you encounter any
issues, please file a task.[1] You can see open tasks for the branch on
Phabricator.[2]
MediaWiki 1.44 is the first release of MediaWiki to formally drop PHP 7.4
and PHP 8.0 support; you should use PHP 8.1, 8.2, or 8.3. We also now have
dropped support for Composer 1.x, and require Composer 2.x for those
systems using it.
MediaWiki 1.44 is due to be supported until the end of June 2026.
It is noted that MediaWiki 1.42 is end-of-life as of June 30th 2025. A
formal announcement was made this week, and will co-incide with the next
security and maintenance release which was also scheduled for June 2025.
=== Changes since MediaWiki 1.44.0-rc.0 ===
* Localisation updates.
* (T379445) debug: Migrate E_USER_ERROR to throw Error in DeprecationHelper.
* (T379445) Setup: Switch vendor error from echo+E_USER_ERROR to echo+exit.
* Setup: Update error message for composer dependencies check.
* (T381341, T379445) widget: Remove outdated try/catch wrapper from
SpinnerWidget.
* (T379445) phpunit: Remove unused trigger_error from TestLogger.
* (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string.
* (T356451) logger: Add void as return type on setLogger.
* (T328921, T359868) Drop PHP 7.4/8.0 support from master
(forward-port from MW 1.42).
* Drop a few phan PhanImpossibleTypeComparison suppressions now we've
dropped
PHP 7.4.
* Clean up resource type and phan suppression in postgres code.
* structure tests: allow PHP 8.1 syntax and autoload enums.
* (T379508, T381291) composer.json: Updated nikic/php-parser from
^5.3.1 to ^5.5.0.
* (T351055) SpecialBrokenRedirects: Batch and preload destination title
info.
* Pass fname to LinkBatch->setCaller in more places.
* SpecialBrokenRedirects: Dedupe logic via private getRedirectTarget helper.
* (T351055) SpecialBrokenRedirects: Load redirect data in batch from
database
* (T388406) RefreshLinksJob: Check hasText before comparing HTML.
* (T397521) Api: Fix permission checks in action=compare.
* (T397472) [REST Sandbox] Remove SwaggerUI from MediaWiki Releases.
* (T397883, T397643) htmlform: fix min/max validations on empty input in
int/float fields
* specials: SpecialTalkPage: Use config from request context.
* (T387408) exception: Skip use of HookRunner when not autoloaded.
* (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing
suppressed
users.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField
validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
action=feedcontributions.
* (T396230, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login
for reauthentication.
* (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the reauth
flag on login.
* (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when
bl_deleted=1.
* (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via
autoblocks of those users.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when
invalid 'format' is provided.
* (T398269) Replace away symfony php polyfills for PHP8/8.1.
* Rest: Move ModuleConfigurationException into correct folder.
* Cache: Move MessageCache hook interfaces into correct folder.
* (T394556) uppercaseTitlesForUnicodeTransition: Add missing return.
* installer: Always check return of IDatabase::fieldInfo in postgres.
* autoload: Expand Autoloader::CORE_NAMESPACES.
Release notes:
[0]
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/refs/heads/…
Bug report form:
[1]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.44-…
Open Bugs:
[2] https://phabricator.wikimedia.org/tag/mw-1.44-release/
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.tar.gzhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.0.tar.gzhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.0.zip
Patch to previous version (1.44.0-rc.0):
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.patch.gzhttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.patch.zip
GPG signatures for the above:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.0.tar.gz.…https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.0.zip.sighttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.tar.gz.sighttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.zip.sighttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.patch.gz.sighttps://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.0.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
As per the MediaWiki version lifecycle[1], I would like to announce the
formal end of life (EOL) of MediaWiki 1.42 as of Monday June 30, 2025.
1.42.7 is expected to be the last release for this branch.
This means that MediaWiki 1.42 will no longer receive maintenance or
security backports. It is therefore strongly discouraged that you continue
to use it.
It is recommended to upgrade either to the next LTS, 1.43, which will be
supported until December 2027, or to the soon to be released MediaWiki
1.44, which will be supported until at least June 2026.
Thanks!
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hi all,
On Monday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.39.13
- 1.42.7
- 1.43.2
This will also resolve security issues in bundled extensions, along with
bug fixes included for maintenance reasons.
These security issues also affect many unsupported versions of MediaWiki.
We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,
MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in
December 2024.
MediaWiki 1.42 becomes EOL at the end of June 2025.
MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in November 2025.
It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39),
which will be supported until December 2027.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hey all,
This is a quick note to highlight that we've created the REL1_44 branch for
MediaWiki core and each of the extensions and skins in Wikimedia git [0].
This is the first step in the release process for MediaWiki 1.44.0, which
should be out in June 2025, approximately six months after MediaWiki 1.43.0.
The branches reflect the code as of the last 'alpha' branch for the
release, 1.44.0-wmf.28, which is being deployed to Wikimedia wikis this
week for MediaWiki itself and those extensions and skins available there.
From now on, patches that land in the main development branch of MediaWiki
and its bundled extensions and skins will be slated for the MediaWiki 1.44
release, unless specifically backported [1].
If you are working on a critical bug fix that will affect the code in the
release, once the patch has been merged into the development branch, you
should propose it for backporting by cherry-picking to the REL1_44 branch.
If you are working on a new feature, that should now not be backported. If
you have an urgent case where the work should block release for everyone
else, please file a task against the `mw 1.44-release` project on
Phabricator [2].
If you have tickets that are tagged for `mw-1.44-release`, please finish
them, untag them, or reach out to get them resolved in the next few days.
We hope to issue the first release candidate, 1.44.0-rc.0, in two weeks'
time, and if all goes well, to then release MediaWiki 1.44.0 a few weeks
after that.
[0]: https://www.mediawiki.org/wiki/Bundled_extensions_and_skins [1]:
https://www.mediawiki.org/wiki/Backporting_fixes [2]:
https://phabricator.wikimedia.org/tag/mw-1.44-release/
Best regards, -- Mateus Santos (he/him) Product Manager MediaWiki
Engineering Group
Hello -
One small correction regarding the recent MediaWiki Extensions and Skins
Security Release Supplement announcement emails - within their email
subject and the first paragraph of the announcement, it was stated that
these releases were for MediaWiki versions 1.39.9, 1.41.3 and 1.42.2. This
is incorrect. The correct versions for this release are 1.39.12, 1.42.6
and 1.43.1 per the now-public security release task [0]. We apologize for
this error.
[0] https://phabricator.wikimedia.org/T382326
--
Scott Bassett
sbassett(a)wikimedia.org