Page MenuHomePhabricator
Create Task
Maniphest T325843

Write and send release announcements for MediaWiki 1.35.10/1.38.6/1.39.3
Closed, ResolvedPublic
Actions

Description

Previous work: {T318968}

I would like to announce the release of MediaWiki 1.35.10, 1.38.6 and 1.39.3!

These releases also serve as a maintenance release for these branches.

The tarballs have already been uploaded as of this e-mail, and the git tags have been pushed.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.

The fixes for the issues in OATHAuth and VisualEditor were already included in 1.39.2 due the patches being made in public and were of lower severity.

All three fixes apply to the pre-release 1.40, and will be included in the upcoming 1.40.0-rc.1 release. They will be merged into the REL1_40 branch later today.

Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been back-ported. This should fix a lot of log spam, and MediaWiki should work on both released versions (PHP 8.0 and 8.1).

Reports of bugs with PHP 8.0, 8.1, or 8.2 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/ and https://phabricator.wikimedia.org/tag/php_8.2_support/ for the relevant work boards.

As a reminder, 1.38 is due to become end of life (EOL) in June 2023. 1.38.7 (due in June 2023 on the usual release cadence) is expected to be the last release for this branch. It is recommended to upgrade to 1.39 (the next LTS after 1.35).

== Security fixes ==
* (T285159, CVE-2023-PENDING) SECURITY: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.
* (T326946, CVE-2020-36649) SECURITY: Bundled PapaParse copy in VisualEditor has known ReDos.
* (T330086, CVE-2023-PENDING) SECURITY: OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T285159
* https://phabricator.wikimedia.org/T326946
* https://phabricator.wikimedia.org/T330086

== Release notes ==

Full release notes for 1.35.10:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

Full release notes for 1.38.6:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES-1.38
https://www.mediawiki.org/wiki/Release_notes/1.38

Full release notes for 1.39.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.10.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.10.zip

Patch to previous version (1.35.9):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.10.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.10.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.zip.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.10.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.6.tar.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.6.zip

Patch to previous version (1.38.5):
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.patch.gz
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.zip.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.6.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.3.zip

Patch to previous version (1.39.2):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.3.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Dec 22 2022, 10:13 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 22 2022, 10:13 PM
Reedy added a parent task: T325839: Release MediaWiki 1.35.10/1.38.6/1.39.3.Dec 22 2022, 10:14 PM
DannyS712 updated the task description. (Show Details)Dec 23 2022, 1:32 AM
Reedy mentioned this in T330086: CVE-2023-29142: OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration.Feb 20 2023, 3:08 PM
Reedy renamed this task from Write and send release announcements for MediaWiki 1.35.10/1.38.6/1.39.2 to Write and send release announcements for MediaWiki 1.35.10/1.38.6/1.39.3.Feb 21 2023, 4:06 PM
Reedy updated the task description. (Show Details)Mar 30 2023, 10:38 PM
Reedy updated the task description. (Show Details)Mar 30 2023, 10:41 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Mar 30 2023, 10:47 PM
Reedy updated the task description. (Show Details)Mar 30 2023, 10:51 PM
Reedy updated the task description. (Show Details)Mar 30 2023, 10:56 PM
Reedy closed this task as Resolved.Mar 30 2023, 11:31 PM
Reedy claimed this task.
DannyS712 mentioned this in T333620: Write and send release announcements for MediaWiki 1.35.11/1.38.7/1.39.4.Apr 4 2023, 3:34 PM
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Jun 30 2023, 5:33 PM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits