I would like to announce the release of MediaWiki 1.35.7, 1.37.3 and 1.38.2! There was no pre-release announcement as the security fixes being included are low risk XSS vulnerabilites that aren't exploitable in the default MediaWiki config. The patches have also been committed to git for a while.
These releases also serve as a maintenance release for these branches.
While tarballs have already been uploaded as of this e-mail, git tags will follow later on today.
An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been back-ported to 1.35.
T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle 6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to 7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the subsequent guzzlehttp/guzzle update in T311384.
Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported. This should fix a lot of log spam, and MediaWiki should work on both versions.
Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/ and https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant work boards.
== Security fixes == * (T308471) Username is not escaped in the "welcomeuser" message. * (T308473) Username not escaped in the contributions-title message. * (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6. * (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
== Links to all mentioned tasks == * https://phabricator.wikimedia.org/T308471 * https://phabricator.wikimedia.org/T308473 * https://phabricator.wikimedia.org/T309377 * https://phabricator.wikimedia.org/T311384
== Release notes ==
Full release notes for 1.35.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.35
Full release notes for 1.37.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.37
Full release notes for 1.38.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-... https://www.mediawiki.org/wiki/Release_notes/1.38
For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip
Patch to previous version (1.35.6): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip
Patch to previous version (1.37.2): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip
Patch to previous version (1.38.1): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
wikitech-l@lists.wikimedia.org