[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.39.12 / 1.42.6 / 1.43.1

[Sam Reed <reedy AT wikimedia.org>]

I would like to announce the release of MediaWiki 1.39.12, 1.42.6 and
1.43.1!

These releases serve as security and maintenance releases for these
branches.

Apologies for this release being late, it was due in the last week of
March. Unfortunately, due to the onongoing events of
https://meta.wikimedia.org/wiki/Wikimedia_Foundation/March_2025_discovery_of_account_compromises,
that took priority in terms of resources.

The tarballs have already been uploaded as of this email, and the git tags
will be pushed shortly.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.

Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are
particularly welcome, and fixes will be back-ported when possible.

As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0
and 8.1 may have been backported to applicable releases. If you find issues
that haven't been backported, please report these too, referring to the
relevant supported release.

Please see https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/,
https://phabricator.wikimedia.org/tag/php_8.3_support/ and
https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant
work boards.

As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,
MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in
December 2024.

MediaWiki 1.39 (old LTS) becomes EOL in November 2025.

MediaWiki 1.43 becomes EOL in June 2025.

It is strongly recommended to upgrade as appropriate to either 1.42, which
will be supported until June 2025, or ideally to 1.43 (the next LTS after
1.39), which will be supported until December 2027.

== Security fixes ==

* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file
revert action.
* (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
Differentiate between cascading protection of file content and file pages.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
functions do not correctly enforce suppression restrictions.
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
* (T389235 CVE-2025-32700) SECURITY: AbuseFilter log interfaces expose
global private and hidden filters when central DB is not available.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T24521
* https://phabricator.wikimedia.org/T62109
* https://phabricator.wikimedia.org/T140010
* https://phabricator.wikimedia.org/T304474
* https://phabricator.wikimedia.org/T358689
* https://phabricator.wikimedia.org/T385958
* https://phabricator.wikimedia.org/T387130
* https://phabricator.wikimedia.org/T389235

== Release notes ==

Full release notes for 1.39.12:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.42.5:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42
https://www.mediawiki.org/wiki/Release_notes/1.42

Full release notes for 1.43.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43
https://www.mediawiki.org/wiki/Release_notes/1.43

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip

Patch to previous version (1.39.11):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.12.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip

Patch to previous version (1.42.4):
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip

Patch to previous version (1.43.0):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org