[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.39.15 / 1.43.5 / 1.44.2

[Sam Reed <reedy AT wikimedia.org>]

I would like to announce the release of MediaWiki 1.39.15, 1.43.5 and 1.44.2

This release primarily serves as a security and maintenance release for
these branches.

REL1_39 had an issue with the VisualEditor extension backports.

REL1_43 had missing backports for the DiscussionTools and Thanks extensions
from.

REL1_44 also had an issue with a backport for a CheckUser extension patch.
This has been corrected in 1.44.2, but this unfortunately made another low
severity XSS apparent in MediaWiki core which affects all release branches.
This is tracked at T406322 under CVE-2025-11261.

Some other changes may be included in these patches based on what has been
merged to those branches in the meantime.

The tarballs have already been uploaded as of this email, and the git tags
have been pushed.

Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are
particularly welcome, and fixes will be back-ported when possible. Please
see https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/,
https://phabricator.wikimedia.org/tag/php_8.3_support/ and
https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant
work boards.

As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,
MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in
December 2024 and MediaWiki 1.42 became EOL at the end of June 2025.

MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025. It
is strongly recommended to upgrade to 1.43 (the next LTS after 1.39), which
will be supported until December 2027.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T406322

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.15.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.15.zip

Patch to previous version (1.39.14):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.15.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.15.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.5.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.5.zip

Patch to previous version (1.43.4):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.5.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.2.zip

Patch to previous version (1.44.1):
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org