Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] Security pre-release announcement: 1.43.9 / 1.44.6 / 1.45.4

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] Security pre-release announcement: 1.43.9 / 1.44.6 / 1.45.4


Chronologisch Thread  
  • From: Sam Reed via MediaWiki-announce <mediawiki-announce AT lists.wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>
  • Cc: Sam Reed <reedy AT wikimedia.org>
  • Subject: [IT-SecNots] [MediaWiki-announce] Security pre-release announcement: 1.43.9 / 1.44.6 / 1.45.4
  • Date: Thu, 25 Jun 2026 23:25:18 +0100
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=FG9l/676Dl49aWiz8PeJML2QK/PH7nrevqI0bLUQcnQ=; fh=DfAX1z5/EjUBh9bkPrMzkuarffvve8vafJIfUpwrVmA=; b=brBPnXOj8Ax1IGWppnjuHR+uaYeMHj0H92Jikodxy7Kw68xuHepk2vDEQFdhIArsal XcxMLuR0/J8lv8kk5oWU8i1PURdq8Ykk79GrolXVIxV9zdmiMEICPGMlGk7OqclrQJ/s 8Nr4xwud9y2wMZSfOkY6rcUzlyTGxiYEe+4npBm7TdocgW1CTxKvfTsxG9IxslPxZfIy 2a33frF0L9swkyWH7gE7CXlL+R6nqpauwPinz9wVBeXzVJ2iqqgvWOy/5d7HqCZadTbY OJtSuftzasXbsmIQQGSPTNLjNj8NTM7e4TJGBf1rqZaeT22kgZb062HbDAGgaYHjvs9F Pr2Q==; darn=lists.wikimedia.org
  • Arc-seal: i=1; a=rsa-sha256; t=1782426330; cv=none; d=google.com; s=arc-20260327; b=kW/iNUntHaPemLAJ5tuIer7qQNcuv9YYmaAVumZ1mqw25omsL3XiBPBdDbQEuFere4 V4q+SmDluq0B0QkHJOT3MN8WRY4rZfiZAz22NZeZS6UTX2mZzMe2c3IMwZtVYTjBpMhf m8lstQC9k+eOM9lfeJXxWgjZ8SXyikedAWgD1xPRjDL5mBL9uudRGdFyHVe2tXHK3JRg PZA3XjoG96VxN8d23VmkOkQ1JZkOBPNLA8h9ocUPccZiRPSYBLRB8PdTRIYVgByM9Yj2 uweZnAKl6araxnC/c5Aq9bAKg4CpGz0G1g4VVJWrEV/fjhJ+1/ejaP9petbjZL33nkgc MVeQ==
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/6JITMBXZ6TXX3MW32BN33Z3JNHPJGJZS/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=JU0FvUCb; dmarc=pass (policy=none) header.from=lists.wikimedia.org; arc=reject ("signature check failed: fail, {[1] = sig:google.com:reject}"); spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

Hi all,

On Monday (2026-06-29) we will be issuing a security and maintenance
release to all supported branches of MediaWiki.

Due to the complexity of various patches that will be released as part of
this, they will be made public in Gerrit before the tarballs and git tags
are made.

We have therefore referenced mitigations for some high severity issues both
in the referenced tickets and below.

It is strongly recommended to apply the mitigations to your MediaWiki
installs ASAP, before the patches are released.

While Timeline/EasyTimeline[2] is *not* a MW Bundled extension, it is used
on Wikimedia wikis and is also widely used across the MediaWiki
installation ecosystem; it is therefore flagged for your attention due to
the issues found. If you do not have this extension installed, you do not
need to do anything for that mitigation.

The new releases will be:
- 1.43.9
- 1.44.6
- 1.45.4

These security issues will also be included in 1.46.0, which is due to be
released afterwards.

Security issues:

MediaWiki Core: https://phabricator.wikimedia.org/T422244 - RCE

Mitigation patch:
Making use of $wgRevokePermissions [4], the following lines can be added to
your LocalSettings.php; it will temporarily disable all importing and
therefore prevent malicious files being imported by any user:

$wgRevokePermissions['*']['importupload'] = true;
$wgRevokePermissions['*']['import'] = true;

You will want to remove these lines once you have applied the security
patches/upgraded to the latest point release versions. We recommend that
you restrict imports to trusted users.

Non-bundled extension security issues:

Timeline: https://phabricator.wikimedia.org/T426631 - RCE

A Remote Code Execution vulnerability exists in the perl script that
EasyTimeline executes to render the timelines.

If you run EasyTimeline in a similar fashion to Wikimedia Production, where
EasyTimeline’s perl scripts are executed in a remote shellbox (vm or
kubernetes), exposure is more limited.

Mitigation: Disable timeline (EasyTimeline) extension until patches are
released, especially if you do not run the execution in a remote shellbox.
Or if you have access to the security tasks, apply the patch from the task.

Timeline: https://phabricator.wikimedia.org/T427611 - Stored XSS in SVG
file output

It is possible to store an XSS in the SVG files generated by timeline.
These aren’t used by MediaWiki by default (though they may be used for RTL
timelines), but these files would still be hosted by your wiki, and could
be hot linked elsewhere.

Mitigation: Disable timeline (EasyTimeline) extension until patches are
released, especially if you do not run the execution in a remote shellbox.
Or if you have access to the security tasks, apply the patch from the task.

Appropriate CSP configuration can also help prevent XSS vectors such as
this.



This release will also resolve security issues in bundled extensions, along
with bug fixes included for maintenance reasons.

These security issues also affect many unsupported versions of MediaWiki.

We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.

A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.

As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki
1.42 became EOL in June 2025.

MediaWiki 1.44 becomes EOL at the end of July 2026.

MediaWiki 1.46 is due to be released following this security release.

More information on these timelines can be viewed on the version lifecycle
page at [1].

Thank you,

Wikimedia Foundation, Product Safety and Integrity
security-help AT wikimedia.org

[1] https://www.mediawiki.org/wiki/Version_lifecycle
[2] https://www.mediawiki.org/wiki/Extension:EasyTimeline
[3] https://www.mediawiki.org/wiki/Manual:Security#File_permissions
[4] https://www.mediawiki.org/wiki/Manual:$wgRevokePermissions
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] Security pre-release announcement: 1.43.9 / 1.44.6 / 1.45.4, Sam Reed via MediaWiki-announce, 25.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang