MediaWiki-announce

mediawiki-announce@lists.wikimedia.org

342 discussions

Maintenance release: MediaWiki 1.42.5
by Sam Reed 04 Feb '25

04 Feb '25

I would like to announce the release of MediaWiki 1.42.5! Thia release primarily serves as a maintenance release for this branch. It is to fix a vendor issue, as reported in T382783. The version of Parsoid included in the vendor folder did not match the version in the composer.json file in MediaWiki core. Other maintenance bug fixes have also been backported, and will be included in point releases for other MediaWiki branches (1.39 and 1.43) in the next security and maintenance release due at the end of March 2025. The tarballs have already been uploaded as of this email, and the git tags have been pushed. Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in December 2024. It is strongly recommended to upgrade to either 1.42, which will be supported until June 2025, or to 1.43 (the next LTS after 1.39), which will be supported until December 2027. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T382783 == Release notes == Full release notes for 1.42.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.42 For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip Patch to previous version (1.42.4): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.… https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html

1 0

MediaWiki Extensions and Skins Security Release Supplement (1.39.11/1.41.5/1.42.4)
by Manfredi Martorana 15 Jan '25

15 Jan '25

Greetings- With the security/maintenance release of MediaWiki 1.39.11/1.41.5/1.42.4, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: SocialProfile + (T373265 <https://phabricator.wikimedia.org/T373265>, CVE-2025-23074) - Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed) https://gerrit.wikimedia.org/r/q/I4b77ced314bc6cea0ef3657a82e7467d3661fe2a GlobalBlocking + (T377855 <https://phabricator.wikimedia.org/T377855>, CVE-2025-23073) - API list=globalblocks can reveal IP of autoblock if username and IP are included in the bgtargets parameter https://gerrit.wikimedia.org/r/q/I2a2d32aedf6328be0a9f1b4e04a6567a25f19486 RefreshSpecial + (T378885 <https://phabricator.wikimedia.org/T378885>, CVE-2025-23072) - XSS in Special:RefreshSpecial https://gerrit.wikimedia.org/r/q/Ic9547e80a8296d707ad8a157eb8ba7aa26fb08dc DataTransfer + (T379749 <https://phabricator.wikimedia.org/T379749>, CVE-2025-23081) - Various security vulnerabilities in Extension:DataTransfer https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3 https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7 https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9 https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451 OpenBadges + (T381220 <https://phabricator.wikimedia.org/T381220>, CVE-2025-23080) - XSSes in Special:BadgeView https://gerrit.wikimedia.org/r/q/Ic9448312fa7f1cbc8feac3f852bc8720568522e2 ArticleFeedbackv5 + (T381753 <https://phabricator.wikimedia.org/T381753>, CVE-2025-23079) - XSSes in Extension:ArticleFeedbackv5 https://gerrit.wikimedia.org/r/q/I6ee51c8b518bda41739fd666fa2891cc12e79ac3 BreadCrumbs2 + (T382043 <https://phabricator.wikimedia.org/T382043>, CVE-2025-23078) - XSS in BreadCrumbs2 https://gerrit.wikimedia.org/r/q/I7878f8f7bc067080f80427b90f8d85337f172711 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T375631 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

1 0

MediaWiki 1.41 is End of Life
by Sam Reed 21 Dec '24

21 Dec '24

As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.41 as of Tuesday December 31, 2024. 1.41.5 is expected to be the last release for this branch. This means that MediaWiki 1.41 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade either to MediaWiki 1.42, which will be supported until June 2025 or to the next LTS, 1.43 (due to be released soon), which will be supported until at least December 2027. Thanks! [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

Maintenance release: MediaWiki 1.39.11, 1.41.5 and 1.42.4
by Sam Reed 21 Dec '24

21 Dec '24

1 0

MediaWiki Extensions and Skins Security Release Supplement (1.39.9/1.41.3/1.42.2)
by Maryum Styles 05 Oct '24

05 Oct '24

Greetings- With the security/maintenance release of MediaWiki 1.39.9/1.41.3/1.42.2, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: PageTriage + (T366991, CVE-2024-47848) - User can review/unreview articles while blocked https://gerrit.wikimedia.org/r/q/I0288a715f7040a14ab7f70b2888fe1ef77a44588 CSS + (T368594, CVE-2024-47845) - CSS sanitizer used incorrectly https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53 Widgets + (T370022, CVE-2024-35226) - smarty library version has CVE https://gerrit.wikimedia.org/r/q/I18f161c338f8c52477a766524c255a31879d5e63 Cargo + (T370632, CVE-2024-47849) - Backticks can allow the usage of not-allowed SQL functions https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963 Cargo + (T372209, CVE-2024-47846) - Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1062723 Cargo + (T372211, CVE-2024-47847) - Various XSSes found in Cargo https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063804 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063806 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063827 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1063831 Apex + (T370081, CVE-2024-47840) - Stored XSS through sidebar https://gerrit.wikimedia.org/r/q/Id9093783051c3f8e6dcb5dc89f9493a5f5cf7bd7 CSS + (T369486, CVE-2024-47841) - Path traversal when loading stylesheets https://gerrit.wikimedia.org/r/q/I46613d8d50fc978bdac58e2b312ee03324c1edc8 DataTransfer + (T375358, CVE-2024-45048, CVE-2024-45046) - vulnerable version of `phpoffice/phpspreadsheet` https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1074761 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T368628 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

1 0

Maintenance release: MediaWiki 1.39.10, 1.41.4 and 1.42.3
by Sam Reed 01 Oct '24

01 Oct '24

1 0

Security and maintenance release: 1.39.9 / 1.41.3 / 1.42.2
by Sam Reed 01 Oct '24

01 Oct '24

1 0

(no subject)
by Sam Reed 28 Sep '24

28 Sep '24

Hi all, On Monday we will be issuing a security and maintenance release to all supported branches of MediaWiki. The new releases will be: - 1.39.9 - 1.41.3 - 1.42.2 This will resolve one security issue in a bundled extension, along with bug fixes included for maintenance reasons. This security issue affects many unsupported versions of MediaWiki. This release may or may not be made with a CVE number formally attached, due to the recent delays in receiving them from MITRE. We will make the fixes available in the respective release branches and master in git. Tarballs will be available for the above mentioned point releases as well. A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, and MediaWiki 1.40 became EOL in June 2024. It is strongly recommended to upgrade to either 1.39 (the next LTS after 1.35), which will be supported until November 2025, 1.41, which will be supported until December 2024, or 1.42, which will be supported until June 2025. [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

MediaWiki Extensions and Skins Security Release Supplement (1.39.8/1.40.4/1.41.2/1.42.0)
by Manfredi Martorana 10 Jul '24

10 Jul '24

Greetings- With the security/maintenance release of MediaWiki 1.39.8/1.40.4/1.41.2/1.42.0, we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: CheckUser + (T361293 <https://phabricator.wikimedia.org/T361293>, CVE-2024-40606) - Special:CheckUser 'Get users' shows hidden usernames to those who do not have the rights to see it https://gerrit.wikimedia.org/r/q/Idc7ed16ca9f3b97735758286c1d1b924b49fb1b2 CheckUser + (T361295 <https://phabricator.wikimedia.org/T361295>, CVE-2024-40610) - CheckUser API for the 'ipusers' and 'actions' request type shows hidden usernames to those who cannot see them https://gerrit.wikimedia.org/r/q/I7a797d509e86916b8cc8a5b6519c42e6aa355ea9 CheckUser + (T361296 <https://phabricator.wikimedia.org/T361296>, CVE-2024-40608) - Special:Investigate exposes suppressed usernames to those who do not have the rights to see them https://gerrit.wikimedia.org/r/q/I75cce32b121ce4c7c2e35f7d00929dc201392241 CheckUser + (T361479 <https://phabricator.wikimedia.org/T361479>, CVE-2024-40607) - Special:CheckUser 'Get actions' page link can expose the username of a suppressed user via the 'logs' URL https://gerrit.wikimedia.org/r/q/I67d76232b131054713534d619d04972f4d84e232 CheckUser + (T326867 <https://phabricator.wikimedia.org/T326867>, CVE-2024-40598) - CheckUser API can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1017294 CheckUser + (T326865 <https://phabricator.wikimedia.org/T326865>, CVE-2024-40597) - Special:CheckUser can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1018782 CheckUser + (T338419 <https://phabricator.wikimedia.org/T338419>, CVE-2024-40609) - Wikimedia\RequestTimeout\RequestTimeoutException on Special:Investigate timeline mode https://gerrit.wikimedia.org/r/q/I968310f1f2383001d399befdfc72d41636501f22 CheckUser + (T268147 <https://phabricator.wikimedia.org/T268147>, CVE-2024-40611) - Special:CheckUser shows deleted edits to non-admins CheckUser + (T326866 <https://phabricator.wikimedia.org/T326866>, CVE-2024-40596) - Special:Investigate can expose suppressed information for log events https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034524 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1034100 GuMaxDD + (T361448 <https://phabricator.wikimedia.org/T361448>, CVE-2024-40599) - GuMaxDD skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I6c8a72fc6b9d53fc1cefa2ba20ea951eff21060a Nimbus + (T361450 <https://phabricator.wikimedia.org/T361450>, CVE-2024-40604) - Nimbus skin: stored XSS via MediaWiki:Nimbus-sidebar https://gerrit.wikimedia.org/r/q/Ie06722d1728d9cca010dc08fe1b08257c6d77dad Tempo + (T361451 <https://phabricator.wikimedia.org/T361451>, CVE-2024-40602) - Tempo skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I574710e673bf09270f385afb4e4b045790a5c14a Foreground + (T361452 <https://phabricator.wikimedia.org/T361452>, CVE-2024-40605) - Foreground skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I19522422f6dde1602322b9bd67f8ce028ee48344 BlueLL + (T361453 <https://phabricator.wikimedia.org/T361453>, CVE-2024-40612) - BlueLL skin: stored XSS via MediaWiki:Sidebar https://github.com/lingua-libre/BlueLL/pull/18 Metrolook + (T361449 <https://phabricator.wikimedia.org/T361449>, CVE-2024-40600) - Metrolook skin: stored XSS via MediaWiki:Sidebar https://gerrit.wikimedia.org/r/q/I269fa3af31ff4cdc18a65b095bc7e7d6f175582e MediaWikiChat + (T362588 <https://phabricator.wikimedia.org/T362588>, CVE-2024-40601) - Classic CSRF in MediaWikiChat's API modules https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaWikiChat/+/10234… ArticleRatings + (T363884 <https://phabricator.wikimedia.org/T363884>, CVE-2024-40603) - Special:ChangeRating is vulnerable to CSRF https://gerrit.wikimedia.org/r/q/Iafe1b12bc8567d39ca964b16223784374e8e4aa7 Gadgets + (T363773 <https://phabricator.wikimedia.org/T363773>, CVE-2024-40613) - Evil regex used to process gadget definitions https://gerrit.wikimedia.org/r/q/Ic9e1a181b261ae4d25e9ce2f91ad12f92e9855d9 The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact security(a)wikimedia.org or file a security task within Phabricator [3]. [1] https://phabricator.wikimedia.org/T361321 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs

1 0

MediaWiki 1.40 is End of Life
by Sam Reed 29 Jun '24

29 Jun '24

(This is a re-send to mediawiki-announce, with a typo fix, as it seem Mailman ate it) As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.40 as of today, Friday June 28, 2024. 1.40.4 is expected to be the last release for this branch. This means that MediaWiki 1.40 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it. It is recommended to upgrade either to MediaWiki 1.41, which will be supported until December 2024, or 1.42, which will be supported until June 2025. Thanks! [1] https://www.mediawiki.org/wiki/Version_lifecycle

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce