I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and 1.43.1!
These releases serve as security and maintenance releases for these branches.
Apologies for this release being late, it was due in the last week of March. Unfortunately, due to the onongoing events of https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of..., that took priority in terms of resources.
The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible.
As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0 and 8.1 may have been backported to applicable releases. If you find issues that haven't been backported, please report these too, referring to the relevant supported release.
Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in December 2024.
MediaWiki 1.39 (old LTS) becomes EOL in November 2025.
MediaWiki 1.43 becomes EOL in June 2025.
It is strongly recommended to upgrade as appropriate to either 1.42, which will be supported until June 2025, or ideally to 1.43 (the next LTS after 1.39), which will be supported until December 2027.
== Security fixes ==
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert action. * (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager: Differentiate between cascading protection of file content and file pages. * (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions. * (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack enabled by Unicode normalization in Action API. * (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in HTMLMultiSelectField when sections are used. * (T389235 CVE-2025-32700) SECURITY: AbuseFilter log interfaces expose global private and hidden filters when central DB is not available.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T24521 * https://phabricator.wikimedia.org/T62109 * https://phabricator.wikimedia.org/T140010 * https://phabricator.wikimedia.org/T304474 * https://phabricator.wikimedia.org/T358689 * https://phabricator.wikimedia.org/T385958 * https://phabricator.wikimedia.org/T387130 * https://phabricator.wikimedia.org/T389235
== Release notes ==
Full release notes for 1.39.12: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.39
Full release notes for 1.42.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.42
Full release notes for 1.43.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.43
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip
Patch to previous version (1.39.11): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz.... https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip.si...
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip
Patch to previous version (1.42.4): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip
Patch to previous version (1.43.0): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
One thing if Elon muzk is evolved whit you I tell you that I don't agree so I will stop any project whit you he is not welcome to any of my wikis he needs to stay a way from my browser to I will take actions against any one so wen I categorize one is end annemy that is end ennamy for me end I will stop in to I take down live or dead imsorry buy the words bud before I consider send all tops of militia you all need to think about what you want for your future remember im the law international end the regulatory OFAC do you understand ,thank you he just ruin end still alot from USA end here so I never let hem came in here if he does you all will endure paying everything
On Thu, Apr 10, 2025, 12:24 PM Sam Reed reedy@wikimedia.org wrote:
I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and 1.43.1!
These releases serve as security and maintenance releases for these branches.
Apologies for this release being late, it was due in the last week of March. Unfortunately, due to the onongoing events of https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of..., that took priority in terms of resources.
The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible.
As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0 and 8.1 may have been backported to applicable releases. If you find issues that haven't been backported, please report these too, referring to the relevant supported release.
Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in December 2024.
MediaWiki 1.39 (old LTS) becomes EOL in November 2025.
MediaWiki 1.43 becomes EOL in June 2025.
It is strongly recommended to upgrade as appropriate to either 1.42, which will be supported until June 2025, or ideally to 1.43 (the next LTS after 1.39), which will be supported until December 2027.
== Security fixes ==
- (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file
revert action.
- (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
Differentiate between cascading protection of file content and file pages.
- (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
functions do not correctly enforce suppression restrictions.
- (T387130, CVE-2025-32699) SECURITY: Potential javascript injection
attack enabled by Unicode normalization in Action API.
- (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
- (T389235 CVE-2025-32700) SECURITY: AbuseFilter log interfaces expose
global private and hidden filters when central DB is not available.
== Links to all mentioned tasks ==
- https://phabricator.wikimedia.org/T24521
- https://phabricator.wikimedia.org/T62109
- https://phabricator.wikimedia.org/T140010
- https://phabricator.wikimedia.org/T304474
- https://phabricator.wikimedia.org/T358689
- https://phabricator.wikimedia.org/T385958
- https://phabricator.wikimedia.org/T387130
- https://phabricator.wikimedia.org/T389235
== Release notes ==
Full release notes for 1.39.12:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.39
Full release notes for 1.42.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.42
Full release notes for 1.43.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.43
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip
Patch to previous version (1.39.11): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz....
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip.si...
Public keys: https://www.mediawiki.org/keys/keys.html
Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip
Patch to previous version (1.42.4): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip
Patch to previous version (1.43.0): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
mediawiki-l@lists.wikimedia.org