it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.9 / 1.44.6 / 1.45.4
Chronologisch Thread
- From: Sam Reed via MediaWiki-announce <mediawiki-announce AT lists.wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, MediaWiki announcements and site admin list <mediawiki-l AT lists.wikimedia.org>, wikitech-l AT lists.wikimedia.org
- Cc: Sam Reed <reedy AT wikimedia.org>
- Subject: [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.9 / 1.44.6 / 1.45.4
- Date: Mon, 29 Jun 2026 19:31:39 +0100
- Arc-authentication-results: i=1; mx.google.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=7zyVdazJz0aavNarFsm5CK9WHFVyRH+6axB0G6gRUqw=; fh=1lpjt62S4bZ5TMyyHlIrn1v9pMYYww8nbmYueoI486o=; b=cGeyCC4yKncyC2/pyZdvoOFniQG9/OgpMLNCLeGT+wRWSQEXbnwtK/6u1bLsXJCl0w PibXUdV7XD4i7nGsED5qCzBpkIEK7Z0Br/oQzjtfg6+ASaBA0eBYPoK/SInfwEBbCDSI ZAo91V/C1t+k9e6hdCCrG0jyjkbvxalVxYdHkildELWTsCSGMu8Ve/5N/SmzcKy9NGSc /mD5Rk8rvBM/OdVI/7j4Les4fRkhSIIHJCoohSYtGn8FK5ULf47DMG9IdXJ2IP6xrqci R52Bg3DkF+9dhFyXCi3VWK/sj+VXFCKaJ6at6powD7yNajaP3iOqKOnoYgLpvxCjEOXs MJDA==; darn=lists.wikimedia.org
- Arc-seal: i=1; a=rsa-sha256; t=1782757911; cv=none; d=google.com; s=arc-20260327; b=F3Ms0/Atgphxccj6qD3W7ZaUodMps+l+jRRP7bDRmPo5yDrbYpipsbPao7Foqjm1X+ VdPfUA/+JWJk7550qzMtV4YsUFMdnRpf4pchaXCd5Xj7JNQ3lTC2/QqiVVzI//OnY6LM 4b8PkpbFsFc8Py1365hdbHkF5oU81XO927w+EuMMbO4w6DofLR6ukrehE6RrSjUaJWwF Xom/O3PHKESG9jss0Q8uBsDI+wobDXMq0SspKDMiMm8vE9iL2KCbgI1dD6chsTplRN+q jeBYEdGCA0xBHUNlIfcMYnHNmBHCdZqRn2rqsBo1kN8m4fmYotQVYtu4lbmvL9dugwND ALkA==
- Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/J52N2ONQO7GP3XR7UIEA5PI7SVZYTBJ7/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=dGzK5GP7; dmarc=pass (policy=none) header.from=lists.wikimedia.org; arc=reject ("signature check failed: fail, {[1] = sig:google.com:reject}"); spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org
- List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
- List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>
I would like to announce the release of MediaWiki 1.43.9, 1.44.6 and 1.45.4!
These releases serve as security and maintenance releases for these
branches.
The tarballs have already been uploaded as of this email, and the git tags
have been pushed.
A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.1 to 8.5 support are particularly welcome, and
fixes will be back-ported when possible. If you find issues that haven't
been backported, please report these too, referring to the relevant
supported release.
PHP 8.x workboards:
* https://phabricator.wikimedia.org/tag/php_8.1_support/
* https://phabricator.wikimedia.org/tag/php_8.2_support/
* https://phabricator.wikimedia.org/tag/php_8.3_support/
* https://phabricator.wikimedia.org/tag/php_8.4_support/
* https://phabricator.wikimedia.org/tag/php_8.5_support/
As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki
1.42 became EOL in June 2025.
MediaWiki 1.44 becomes EOL at the end of July 2026.
MediaWiki 1.46 is due to be released following this security release.
== Security fixes ==
=== MediaWiki Core ===
T422244 - LogItem RCE
When importing log entries (a right only given to sysops by default), due
to insecure deserialization, it is possible to use a specially crafted XML
file to trigger both arbitrary file write vulnerability (if insecure file
permissions allow [3]) and also a Remote Code Execution vulnerability in
MediaWiki core.
After upgrading, you can remove these lines from your LocalSettings.php:
$wgRevokePermissions['*']['importupload'] = true;
$wgRevokePermissions['*']['import'] = true;
* (T425406, CVE-2026-58036) SECURITY: Fix ApiQueryUsers leaking status of
private user conditions for user.
* (T422306, CVE-2026-58028) SECURITY: Disallow user JS in pretty-print
api.php responses.
* (T427235, CVE-2026-58033) SECURITY: Exclude rev-deleted usernames from
distinct authors query.
* (T426867, CVE-2026-58032) SECURITY: mw.Api.getErrorMessage: Treat
formatversion=1 as text.
* (T299359, CVE-2026-58026) SECURITY: Make sure the actual title that's
being transcluded is includable.
* (T422085, CVE-2026-58024) SECURITY: Restrict interwiki user lookup in
ApiUserrights.
* (T422676, CVE-2026-58029) SECURITY: Check for editmyprivateinfo right in
more places.
* (T422995, CVE-2026-58037) SECURITY: LogFormatter: 'raw' parameter format
is no longer raw HTML.
* (T422244, CVE-2026-58025) SECURITY: Safely unserialize log entry
parameters.
=== AbuseFilter ===
* (T406954, CVE-2026-58027) SECURITY: Hide hit count for private/protected
filters in API.
=== SyntaxHighlight_GeSHi ===
* (T427167, CVE-2026-58030) SECURITY: Escape linelinks argument before
passing it on to Pygments.
=== Timeline ===
As per the pre-release email, while it is not bundled with the release, the
Timeline issues are included because it is used by Wikimedia wikis and is
also widely used across the MediaWiki installation ecosystem.
You can re-enable the extension after you have updated the extension.
Non-bundled extension security issues:
T426631 - RCE
A Remote Code Execution vulnerability exists in the perl script that
EasyTimeline executes to render the timelines.
If you run EasyTimeline in a similar fashion to Wikimedia Production, where
EasyTimeline’s perl scripts are executed in a remote shellbox (vm or
kubernetes), exposure is more limited.
T427611 - Stored XSS in SVG file output
It is possible to store an XSS in the SVG files generated by timeline.
These aren’t used by MediaWiki by default (though they may be used for RTL
timelines), but these files would still be hosted by your wiki, and could
be hot linked elsewhere.
* (T426631, CVE-2026-8857) SECURITY: EasyTimeline: Harden against script
injection via TextData.
* (T426631, CVE-2026-8857) SECURITY: EasyTimeline: Strip newlines from
BarData and Scale text.
* (T427611, CVE-2026-58038) SECURITY: Run timeline generated SVG through MW
upload checks.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T299359
* https://phabricator.wikimedia.org/T406954
* https://phabricator.wikimedia.org/T422085
* https://phabricator.wikimedia.org/T422244
* https://phabricator.wikimedia.org/T422306
* https://phabricator.wikimedia.org/T422676
* https://phabricator.wikimedia.org/T422995
* https://phabricator.wikimedia.org/T425406
* https://phabricator.wikimedia.org/T426631
* https://phabricator.wikimedia.org/T426867
* https://phabricator.wikimedia.org/T427167
* https://phabricator.wikimedia.org/T427235
* https://phabricator.wikimedia.org/T427611
== Release notes ==
Full release notes for 1.43.9:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43
https://www.mediawiki.org/wiki/Release_notes/1.43
Full release notes for 1.44.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44
https://www.mediawiki.org/wiki/Release_notes/1.44
Full release notes for 1.45.4:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45
https://www.mediawiki.org/wiki/Release_notes/1.45
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.9.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.9.zip
Patch to previous version (1.43.8):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.9.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.9.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.6.zip
Patch to previous version (1.44.5):
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.patch.gz
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.6.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.4.tar.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.4.zip
Patch to previous version (1.45.3):
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.patch.gz
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.zip.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.4.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org
- [IT-SecNots] [MediaWiki-announce] Security and maintenance release: 1.43.9 / 1.44.6 / 1.45.4, Sam Reed via MediaWiki-announce, 29.06.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.