Hi all,
On Thursday we will be issuing a security and maintenance release to all supported branches of MediaWiki.
The new releases will be:
- 1.35.12 - 1.39.5 - 1.40.1
This will resolve four security issues in MediaWiki core, two in a bundled skin, along with bug fixes included for maintenance reasons. This includes various patches for PHP 8.0, PHP 8.1 and PHP 8.2 support.
One issue in a bundled skin only affects MediaWiki 1.40 and master, the other bundled skin issue affects MediaWiki 1.39, 1.40 and master.
A partial fix for one of the skin issues is already merged into the relevant release branch.
One more minor security fix was merged in public after the releases of 1.35.11/1.38.7/1.39.4/1.40.0.
We will make the fixes available in the respective release branches and master in git. Tarballs will be available for the above mentioned point releases as well.
A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later.
As a reminder, when 1.35 was released, it was originally due to become end of life (EOL) at the end of September 2023. Due to 1.39 being released late (November 2022), and to honor the commitment to the 1 year overlap of MediaWiki LTS releases, this formal EOL process is being delayed till at least the end of November 2023.
In practice, this may become sometime in December 2023, to coincide with the security and maintenance release for that quarter. A formal EOL announcement for 1.35 will come in advance of that point.
It is therefore expected that 1.35.13 in December 2023 will become the final release for the 1.35 branch.
It is noted that support and CI for 1.35 is becoming more limited; backports are becoming best-effort. Browser testing has been dropped for 1.35 in Wikimedia CI, due to the difficulties to support this.
It is strongly recommended to upgrade to 1.39 (the next LTS after 1.35), which will be supported until November 2025, or 1.40, which will be supported until June 2024.