I would like to announce the release of MediaWiki 1.39.9, 1.41.3 and 1.42.2!
These releases also serve as a maintenance release for these branches.
Apologies for the missing subject on the pre-announce email sent last week.
The tarballs have already been uploaded as of this email, and the git tags have been pushed.
Unfortunately at the time of finalising this release, the CVE has not been assigned a tracking number by MITRE. To get these releases out as detailed in the pre-release announcement, they are therefore documented as "CVE-2024-PENDING" here and in the commit messages of the commits that will be pushed. The related tasks will be updated in retrospect when the CVEs are issued, and we will also amend the RELEASE-NOTES files. They will then be retrospectively correctly documented in the next releases, and in HISTORY in the master branch of MediaWiki core.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/ and https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant work boards.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, and MediaWiki 1.40 became EOL in June 2024.
It is strongly recommended to upgrade to either 1.39 (the next LTS after 1.35), which will be supported until November 2025, 1.41, which will be supported until December 2024, or 1.42, which will be supported until June 2025.
It is noted that this issue fixed in AbuseFilter is replicable back to at least 1.19, if not before (though AbuseFilter was not bundled till 1.38).
== Security fixes ==
* (T372998, CVE-2024-PENDING) SECURITY: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T372998
== Release notes ==
Full release notes for 1.39.9: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.39
Full release notes for 1.41.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_41/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.41
Full release notes for 1.42.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.42
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.zip
Patch to previous version (1.39.8): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.9.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.9.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.tar.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.tar.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.zip
Patch to previous version (1.41.2): https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.gz https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.3.zip.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.zip.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.3.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.zip
Patch to previous version (1.42.1): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.2.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.2.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
mediawiki-announce@lists.wikimedia.org