Page MenuHomePhabricator
Create Task
Maniphest T353898

Write and send release announcements for MediaWiki 1.39.7/1.40.3/1.41.1
Closed, ResolvedPublic
Actions

Description

Previous work: T347653: Write and send release announcements for MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0, T347652: Write and send pre-release announcements for MediaWiki 1.35.14/1.39.6/1.40.2/1.41.0
Pre-release announcement: T353897: Write and send pre-release announcements for MediaWiki 1.39.7/1.40.3/1.41.1

I would like to announce the release of MediaWiki 1.39.7, 1.40.3 and 1.41.1!

These releases also serve as a maintenance release for these branches.

The tarballs have already been uploaded as of this email, and the git tags have been pushed.

Unfortunately at the time of finalising this release, the CVE has not been assigned a tracking number by MITRE. To get these releases out as detailed in the pre-release announcement, they are therefore documented as "CVE-2024-PENDING" here and in the commit messages of the commits that will be pushed. The related tasks will be updated in retrospect when the CVEs are issued, and we will also amend the RELEASE-NOTES files. They will then be retrospectively correctly documented in the next releases, and in HISTORY in the master branch of MediaWiki core.

While it does not happen commonly, the fix for T357760 includes a hard coded English error message. This will be improved for the next point releases for all branches, and as such, back-ported translations will also be included.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.

Various patches aimed at PHP 8.0, 8.1, 8.2 and 8.3 support have been back-ported.

Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/ and https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant work boards.

As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023.

It is strongly recommended to upgrade to either 1.39 (the next LTS after 1.35), which will be supported until November 2025, 1.40, which will be supported until June 2024, or 1.41, which will be supported until December 2024.

== Security fixes ==

* (T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.
* (T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.

== Links to all mentioned tasks ==

* https://phabricator.wikimedia.org/T355538
* https://phabricator.wikimedia.org/T357760

== Release notes ==

Full release notes for 1.39.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES-1.39
https://www.mediawiki.org/wiki/Release_notes/1.39

Full release notes for 1.40.3:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_40/RELEASE-NOTES-1.40
https://www.mediawiki.org/wiki/Release_notes/1.40

Full release notes for 1.41.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_41/RELEASE-NOTES-1.41
https://www.mediawiki.org/wiki/Release_notes/1.41

For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.7.zip

Patch to previous version (1.39.6):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.7.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.3.tar.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.3.zip

Patch to previous version (1.40.2):
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.patch.gz
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.zip.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.3.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.1.tar.gz
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.1.zip

Patch to previous version (1.41.0):
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.patch.gz
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-core-1.41.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.zip.sig
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.41/mediawiki-1.41.1.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Related Objects
Search...

Event Timeline

Reedy added projects: Security, MediaWiki-Releasing.Dec 21 2023, 6:53 PM
Reedy subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 21 2023, 6:53 PM
Reedy added a parent task: T353894: Release MediaWiki 1.39.7/1.40.3/1.41.1.Dec 21 2023, 6:53 PM
Reedy mentioned this in T353897: Write and send pre-release announcements for MediaWiki 1.39.7/1.40.3/1.41.1.Dec 21 2023, 6:55 PM
Reedy updated the task description. (Show Details)
Reedy renamed this task from Write and send release announcements for MediaWiki 1.39.6/1.40.2/1.41.1 to Write and send release announcements for MediaWiki 1.39.7/1.40.3/1.41.1.Mar 26 2024, 2:49 PM
Reedy changed the task status from Open to In Progress.Mar 26 2024, 5:06 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)Mar 28 2024, 9:58 PM
Reedy updated the task description. (Show Details)Mar 28 2024, 10:02 PM
Reedy closed this task as Resolved.Mar 28 2024, 10:45 PM
Reedy claimed this task.
Reedy changed the visibility from "acl*security (Project)" to "Public (No Login Required)".Mar 28 2024, 11:31 PM
Reedy changed the edit policy from "acl*security (Project)" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL