I would like to announce the release of MediaWiki 1.35.7, 1.37.3 and 1.38.2! There was no pre-release announcement as the security fixes being included are low risk XSS vulnerabilites that aren't exploitable in the default MediaWiki config. The patches have also been committed to git for a while.
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded as of this e-mail, git tags will follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been back-ported to 1.35.
T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle 6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to 7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the subsequent guzzlehttp/guzzle update in T311384.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported. This should fix a lot of log spam, and MediaWiki should work on both versions.
== Security fixes == * (T308471) Username is not escaped in the "welcomeuser" message. * (T308473) Username not escaped in the contributions-title message. * (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6. * (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.