[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.39.13 / 1.42.7 / 1.43.2

[Sam Reed <reedy AT wikimedia.org>]

I would like to announce the release of MediaWiki 1.39.13, 1.42.7 and 1.43.2!

These releases serve as security and maintenance releases for these branches.

The tarballs have already been uploaded as of this email, and the git
tags will be pushed shortly.

A "MediaWiki Extensions Security Release Supplement" e-mail will
follow this one, covering security updates for non-bundled extensions.

Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are
particularly welcome, and fixes will be back-ported when possible.

As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP
8.0 and 8.1 may have been backported to applicable releases. If you
find issues that haven't been backported, please report these too,
referring to the relevant supported release.

Please see https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/,
https://phabricator.wikimedia.org/tag/php_8.3_support/ and
https://phabricator.wikimedia.org/tag/php_8.4_support/ for the
relevant work boards.

As a reminder, MediaWiki 1.35 became end of life (EOL) in December
2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became
EOL in December 2024.

MediaWiki 1.39 (old LTS) becomes EOL in November 2025.

MediaWiki 1.42 becomes EOL, today, June 30, 2025. A separate email will 
follow.

It is strongly recommended to upgrade to 1.43 (the next LTS after
1.39), which will be supported until December 2027.

== Security fixes ==

* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
* (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing
suppressed users.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in
HTMLUserTextField validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
action=feedcontributions.
* (T391218, CVE-2025-6592) SECURITY: Creating a permanent account from
a temporary account associates temp username and IP address with real
username in AbuseLog.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS
when invalid 'format' is provided.
* (T394863, CVE-2025-6595) SECURITY: Stored XSS through system
messages in MultimediaViewer.
* (T396685, CVE-2025-6596) Vector inserts portlet labels as HTML,
allowing for stored XSS through system messages.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as
login for reauthentication.
* (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the
reauth flag on login.
* (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when
bl_deleted=1.
* (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via
autoblocks of those users.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T31856
* https://phabricator.wikimedia.org/T386175
* https://phabricator.wikimedia.org/T389009
* https://phabricator.wikimedia.org/T389010
* https://phabricator.wikimedia.org/T391218
* https://phabricator.wikimedia.org/T391343
* https://phabricator.wikimedia.org/T392276
* https://phabricator.wikimedia.org/T392746
* https://phabricator.wikimedia.org/T394863
* https://phabricator.wikimedia.org/T395063
* https://phabricator.wikimedia.org/T396230
* https://phabricator.wikimedia.org/T396685
* https://phabricator.wikimedia.org/T397595

== Release notes ==

Full release notes for 1.39.13:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.42.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOTES-1.42
https://www.mediawiki.org/wiki/Release_notes/1.42

Full release notes for 1.43.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43
https://www.mediawiki.org/wiki/Release_notes/1.43

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip

Patch to previous version (1.39.12):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip

Patch to previous version (1.42.6):
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip

Patch to previous version (1.43.1):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org