Hi all,

On Wednesday we will be issuing a security and maintenance release to all supported branches of MediaWiki.

The new releases will be:

- 1.35.5
- 1.36.3
- 1.37.1

This release includes fixes for multiple high severity authorization bypasses in MediaWiki core, it is recommended you patch immediately. A short LocalSettings.php configuration snippet will also be shared to disable the vulnerable functionality if you are unable to patch right away. This snippet should work across all vulnerable MediaWiki versions, including end-of-life ones.

In addition to that, this will resolve other issues in MediaWiki core and also includes some fixes previously committed to git, including minor security and hardening patches along with bug fixes included for maintenance reasons.

It also fixes 2 issues in MediaWiki tarball bundled extensions.

We will make the fixes available in these respective release branches and master. Tarballs will be available for the above mentioned point releases as well.

A summary of some of the security fixes that have gone into non-bundled MediaWiki extensions will also follow later.