Zum Inhalt springen.

Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.7 / 1.44.4 / 1.45.2

Menü für Listeneinstellungen

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.7 / 1.44.4 / 1.45.2

From: Sam Reed via MediaWiki-announce <mediawiki-announce AT lists.wikimedia.org>
To: wikitech-l AT lists.wikimedia.org, mediawiki-announce AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>
Cc: Sam Reed <reedy AT wikimedia.org>
Subject: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.7 / 1.44.4 / 1.45.2
Date: Wed, 1 Apr 2026 00:06:16 +0100
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=YqgwGHeuYBJfSP5R61hgQ/kPEsMU9FJzaOXT35HALCc=; fh=wuuqtgG9AOamaW1M/Ejp2kIzbO3igD080e5JRjfGSaY=; b=U3EOwYwq1Zl7BPsHGL+6mDPSxb6AIHKtlZipB4RWlSyjtyQqOkr0xvYWJGww25/osI SbuqBH2/QtdiDeUjyeNerWKqVifDkF2pUIYhwojVhO7WGxsHL2k505Nk8jtRftEcLUsS 5mxVF5yH3w6y1uPu3VS3XN+VmcHlht8MwScPVjN3OZryXu86G23VFaIzjsBI3WPH2dg9 FT/tFikgXW2nrqgEtEprdXF+s8/0qOf0WbiQbTJkJ2Doy8s7Fxg2MAeNkoCKRnJIocZB IDNgQX4IWT9SFPEO3wqz+7WCAYHE7fhwa5mhHB7wzi7N8JM6YZUfZXeOwHa867y7FCzX Jcjw==; darn=lists.wikimedia.org
Arc-seal: i=1; a=rsa-sha256; t=1774998387; cv=none; d=google.com; s=arc-20240605; b=OTkbBy285IOg8R3rl+D8kOmhLPAncSFRGmz83wabq9wO9MYplskrUwlUfewCuSHU39 ZYtMvQ8j1HJbquBqSYx7ZM9F2Ky83ea3Jh3ENL4tfTg6IqfX8J0bpw8Mv9aFD9QjbgCb GViovYEChOJj4t7aacstlr+C3sR1YinUFjVVoHn0AMYRXsBsaE17YbXzPYkKf23AtIzl 5DqY7wyu5iYH6nE5bmB9qT6RUXWiqE5KDQ2Uh//DVSdI4gZbmQh3cVnmyqaUpYOZJe/4 xvuKptHQCLMT0+8MhXetvrMLn7zWJGAKpkJiUjynjQSPd0SaCrJu5x+tcfnKhrXQzD+C 5GpA==
Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/DIBLSBHISKX6NFRUFNOGZRVW42E7R2QP/>
Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=MlPntrKX; dmarc=pass (policy=none) header.from=lists.wikimedia.org; arc=reject ("signature check failed: fail, {[1] = sig:google.com:reject}"); spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org
List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

I would like to announce the release of MediaWiki 1.43.7, 1.44.4 and 1.45.2!

These releases serve as security and maintenance releases for these
branches.

They ended up a little later than expected in the day, due a last minute
addition of the fix to Echo in T420154.

The tarballs have already been uploaded as of this email, and the git tags
will be pushed shortly.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.

Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and
fixes will be back-ported when possible. If you find issues that haven't
been backported, please report these too, referring to the relevant
supported release.

PHP 8.x workboards:
* https://phabricator.wikimedia.org/tag/php_8.0_support/
* https://phabricator.wikimedia.org/tag/php_8.1_support/
* https://phabricator.wikimedia.org/tag/php_8.2_support/
* https://phabricator.wikimedia.org/tag/php_8.3_support/
* https://phabricator.wikimedia.org/tag/php_8.4_support/
* https://phabricator.wikimedia.org/tag/php_8.5_support/

As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki
1.42 became EOL in June 2025.

== Security fixes ==

* (T384147, CVE-2026-34092) SECURITY: Block UI elements in 'tools'-sidebar
shows presence of an autoblocked IP.
* (T410429, CVE-2026-34088) SECURITY: RecentChanges entries expose
suppressed content via generated log page html.
* (T411305, CVE-2026-34091) SECURITY: User localization leaked by
AbuseFilter + EventStream.
* (T411366, CVE-2026-34090) SECURITY: Suggested investigations: Handle
suppressed usernames.
* (T412061, CVE-2026-34087) SECURITY: Users API leaks whether privileged
users have their user groups disabled for lack of 2FA.
* (T414547, CVE-2026-34093) SECURITY: Special:UserRights allows viewing
user rights from private wiki.
* (T415584, CVE-2026-34086) SECURITY: AbuseFilter misuses
::userCanBitfield, exposing access-controlled information.
* (T416090, CVE-2026-34094) SECURITY: Customized help link for page
protection indicator is relative to subpage name, because the link target
is missing the "/wiki/" prefix.
* (T419168, CVE-2026-34089) SECURITY: Memory leak in Scribunto causes
runJobs.php to run out of memory.
* (T419192, CVE-2026-34095) SECURITY: action=raw with Special:Mypage
subpage title responds with "Content-Type) SECURITY: text/html" on
ctype=text/javascript request.
* (T420154, CVE-2026-5266) SECURITY: Notifications (Echo) API can be used
by any OAuth tool.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T384147
* https://phabricator.wikimedia.org/T410429
* https://phabricator.wikimedia.org/T411305
* https://phabricator.wikimedia.org/T411366
* https://phabricator.wikimedia.org/T412061
* https://phabricator.wikimedia.org/T414547
* https://phabricator.wikimedia.org/T415584
* https://phabricator.wikimedia.org/T416090
* https://phabricator.wikimedia.org/T419168
* https://phabricator.wikimedia.org/T419192
* https://phabricator.wikimedia.org/T420154

== Release notes ==

Full release notes for 1.43.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43
https://www.mediawiki.org/wiki/Release_notes/1.43

Full release notes for 1.44.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44
https://www.mediawiki.org/wiki/Release_notes/1.44

Full release notes for 1.45.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45
https://www.mediawiki.org/wiki/Release_notes/1.45

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip

Patch to previous version (1.43.6):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip

Patch to previous version (1.44.3):
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip

Patch to previous version (1.45.1):
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org

[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.7 / 1.44.4 / 1.45.2, Sam Reed via MediaWiki-announce, 31.03.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.