I would like to announce the release of MediaWiki 1.35.12, 1.39.5 and 1.40.1!

These releases also serve as a maintenance release for these branches.

The tarballs have already been uploaded as of this email, and the git tags have been pushed.

Unfortunately at the time of finalising this release, none of our CVEs have been assigned a tracking number by MITRE. To get these releases out as detailed in the pre-release announcement, they are therefore documented as "CVE-2023-PENDING" here and in the commit messages of the commits that will be pushed. The related tasks will be updated in retrospect when the CVEs are issued, and we will also amend the RELEASE-NOTES files. They will then be retrospectively correctly documented in the next releases, and in HISTORY in the master branch of MediaWiki core.

Two of the referenced tasks and their applicable security fixes were not counted in the pre-release announcement.

Notes about specific CVEs:

T333050 was merged in public after the 1.35.11/1.38.7/1.39.4 and 1.40.0 releases.

T264765 was merged in public before the 1.39.5/1.40.1 releases, and would affect 1.36 onwards.

T340217 only applies to Vector 2022 in 1.40.

T340220 would affect 1.38 onwards, but is not being fixed in 1.38 due to that branch being unsupported since June 2023.

T340221 and T341529 are applied to all supported branches, but would also affect numerous unsupported branches.

T341565 against CVE-2023-3550 was made public on a third party platform before the reporters' own timeline (as disclosed to the Wikimedia Foundation), and also without approval from ourselves.

MediaWiki provides no support for displaying/rendering these XML files. MediaWiki in a default configuration is not vulnerable to this issue; 'xml' would have had to be added to '$wgFileExtensions' in LocalSettings.php.

It continues to be strongly recommended not to enable uploading XML files (via Special:Upload etc.; not via Special:Import). SVG files are not affected.

If you need to allow XML file upload (for some reason), you will now have to remove 'xml' from '$wgProhibitedFileExtensions' and the xml entries from '$wgMimeTypeExclusions' (in 1.35, from  '$wgFileBlacklist' and '$wgMimeTypeBlacklist' respectively). While it is strongly not recommended to enable the upload of XML files, if you need to allow this for some reason, it is very much strongly suggested you only allow uploads from users that you trust, and that they only upload files from trusted sources.

See https://www.mediawiki.org/wiki/Manual:$wgProhibitedFileExtensions and https://www.mediawiki.org/wiki/Manual:$wgProhibitedFileExtensions for more information about how these mechanisms work.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.

Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been back-ported.

Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/ and https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant work boards.

As a reminder, when 1.35 was released, it was originally due to become end of life (EOL) at the end of September 2023. Due to 1.39 being released late (November 2022), and to honor the commitment to the 1 year overlap of MediaWiki LTS releases, this formal EOL process is being delayed till at least the end of November 2023.

In practice, this may become sometime in December 2023, to coincide with the security and maintenance release for this quarter. A formal EOL announcement will come in advance

It is therefore expected that 1.35.13 in December 2023 will become the final release for the 1.35 branch.

It is noted that support and CI for 1.35 is becoming more limited; backports are being done on a best effort basis. Browser testing has been dropped for 1.35 in Wikimedia CI, due to the difficulties to support this.

It is strongly recommended to upgrade to 1.39 (the next LTS after 1.35), which will be supported until November 2025, or 1.40, which will be supported until June 2024.

== Security fixes ==

* (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.
* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T264765
* https://phabricator.wikimedia.org/T333050
* https://phabricator.wikimedia.org/T340217
* https://phabricator.wikimedia.org/T340220
* https://phabricator.wikimedia.org/T340221
* https://phabricator.wikimedia.org/T341529
* https://phabricator.wikimedia.org/T341565

== Release notes ==

Full release notes for 1.35.12:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.39.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.40.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_40/RELEASE-NOTES-1.40
https://www.mediawiki.org/wiki/Release_notes/1.40

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.12.zip

Patch to previous version (1.35.11):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.12.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.5.zip

Patch to previous version (1.39.4):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.1.zip

Patch to previous version (1.40.0):
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html