Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] Announcing MediaWiki 1.46.0

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] Announcing MediaWiki 1.46.0


Chronologisch Thread  
  • From: Mateus Santos via MediaWiki-announce <mediawiki-announce AT lists.wikimedia.org>
  • To: Wikimedia developers <wikitech-l AT lists.wikimedia.org>, mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org
  • Cc: Mateus Santos <msantos AT wikimedia.org>
  • Subject: [IT-SecNots] [MediaWiki-announce] Announcing MediaWiki 1.46.0
  • Date: Tue, 30 Jun 2026 18:14:09 +0200
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=hIpWVQU2ZOYMKPiFo4C2sEkjHrG1It7t7A6WcomN6qU=; fh=ZOsU4zpPIT5FiEfpEAvjHnUMSkY7m4Pyf3p6H0Zad98=; b=jCVMTtxW/tN8RAA/Cchxmch4irW8AXDgXlcW4lDBWc8xgxa3EHBwOYfj4RUnNi25bY /5Ts51Uv6HeBSZP/ctmig/A/DXiPnfGdI53xtlNyRSB8FcaCt/rVCHyHpejv2LuUmj56 1IpuVOiUScT5i8QxgWn6nh0yFKVQWEan2ilGgU1MPxj45us67KFqnBWCUWasRB+6mvG6 sgdMC0dBfhaS5mqoWfF3H5PYGtWzbBCAF7IUdeKqiTKZMd2jXXygUrCDWZXs6kH0QJlL etnL4w+6rMYVvX7y4xTlMCT9VyPB9oLD7jG+aUVe88SX27l8BqO3DIHIXGl3RNbg6ddP Pr3w==; darn=lists.wikimedia.org
  • Arc-seal: i=1; a=rsa-sha256; t=1782836085; cv=none; d=google.com; s=arc-20260327; b=lZynFXBUITaqoX5NGEghGCe6lwYfiy4hb9LJYeXkvw+ViDe/4SPw22nleyjKzA+xD+ f1LnRr/Z27ycr4FrD8MFLbLyWzwknZRD/6BQVJCDaHyV81L2bLPIpaTf8ai6pM+oPlCg 23T/0cP8kfP4sSOLhn3sU9LGnd9Co4XRReh+52n03cra8qX2vOzcs1jPVVR3raO4ZVIf 8nMBRLQvvonl46iHIjM0eh9mPnK0yWbCb8LDQk2fwuRRbT0H+Y9QBhkllF7x7XdzuRVK Q+boF1FOArs4UtkA/+qN+FeojI8aPo3wSjeX8C+i5Hi/6/5ahOnDzPGliv8GKrJYAemk P7zg==
  • Archived-at: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/message/Q2NIZ476NK7XKTOQY6PHE6B3QOB24Z5Z/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=lists.wikimedia.org header.s=wikimedia header.b=Lo8HEcZK; dmarc=pass (policy=none) header.from=lists.wikimedia.org; arc=reject ("signature check failed: fail, {[1] = sig:google.com:reject}"); spf=pass (lists.piratenpartei.de: domain of mediawiki-announce-bounces AT lists.wikimedia.org designates 2620:0:861:3:208:80:154:81 as permitted sender) smtp.mailfrom=mediawiki-announce-bounces AT lists.wikimedia.org
  • List-archive: <https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce AT lists.wikimedia.org/>
  • List-id: MediaWiki update and security announcements list <mediawiki-announce.lists.wikimedia.org>

I am happy to announce the availability of the general release of MediaWiki
1.46!

Tarballs have already been uploaded, and the git tag has been pushed.

Thanks to everyone who helped out with this release, especially thanks to
those who tested out the release candidate and provided feedback, as well
as the developers who worked on fixes for the 1.46 final release. To see
what's changed in 1.46, see the release notes file.[0] If you encounter any
issues, please file a task.[1] You can see open tasks for the branch on
Phabricator.[2]

MediaWiki 1.46 is due to be supported until the end of July 2026.

It's important to note that 1.46.0 is shipped with the changes released on
the current security and maintenance release.

=== Changes since MediaWiki 1.46.0-rc.0 ===
* (T422244, CVE-2026-58025) SECURITY: Safely unserialize log entry
parameters [CVE-2026-58025]
* (T422995, CVE-2026-58037) SECURITY: LogFormatter: 'raw' parameter format
is no longer raw HTML [CVE-2026-58037]
* (T422676, CVE-2026-58029) SECURITY: Check for editmyprivateinfo right in
more places [CVE-2026-58029]
* (T422085, CVE-2026-58024) SECURITY: Restrict interwiki user lookup in
ApiUserrights [CVE-2026-58024]
* (T299359, CVE-2026-58026) SECURITY: Make sure the actual title that's
being transcluded is includable [CVE-2026-58026]
* (T426867, CVE-2026-58032) SECURITY: mw.Api.getErrorMessage: Treat
formatversion=1 as text [CVE-2026-58032]
* (T427235, CVE-2026-58033) SECURITY: Exclude rev-deleted usernames from
distinct authors query [CVE-2026-58033]
* (T422306, CVE-2026-58028) SECURITY: Disallow user JS in pretty-print
api.php responses [CVE-2026-58028]
* (T425406, CVE-2026-58036) SECURITY: Fix ApiQueryUsers leaking status of
private user conditions for user [CVE-2026-58036]
* (T428809, CVE-2026-58035) SECURITY: Parse message using v-i18n-html
instead of using v-html
* (T423617) Check the target url for redirects are allowed
* (T383047) Mail: Log PHP mail() send failures with recipient count
* (T429720) FileRepo: Fix typos in schema compatibility checks
* (T383047) Mail: Extract sendWithMailFunction() from UserMailer::send()
* (T429965) Updated guzzlehttp/guzzle from 7.12.1 to 7.12.3
* (T429826) Updated guzzlehttp/guzzle from 7.10.0 to 7.12.1
* (T428406) LocalFileMoveBatch: Also update fr_archive_name when moving file
* (T424462) tests: Limit ResourcesTest::testRespond to general-purpose skins
* (T424462) tests: loop modules inside ResourcesTest::testRespond
* (T428289) Email confirmation banner: Remove Test Kitchen A/B test
scaffolding
* (T421366) Email confirmation banner: Remove obsolete arm_b variant
* (T427622) Store indicators in ContentHolder: forward compatibility
* changePassword: Add reason option for password change
* (T425818) changePassword: Log password change to authentication log

Release notes:
[0]
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/refs/heads/REL1_46/RELEASE-NOTES-1.46

Bug report form:
[1]
https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.46-Release

Open Bugs:
[2] https://phabricator.wikimedia.org/tag/mw-1.46-release/

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.tar.gz
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-core-1.46.0.tar.gz
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-core-1.46.0.zip

Patch to previous version (1.46.0-rc.0):
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.patch.gz
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.patch.zip

GPG signatures for the above:
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-core-1.46.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-core-1.46.0.zip.sig
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.zip.sig
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.46/mediawiki-1.46.0.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce AT lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave AT lists.wikimedia.org


  • [IT-SecNots] [MediaWiki-announce] Announcing MediaWiki 1.46.0, Mateus Santos via MediaWiki-announce, 30.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang