I would like to announce the release of MediaWiki 1.43.7, 1.44.4 and 1.45.2!
These releases serve as security and maintenance releases for these branches. They ended up a little later than expected in the day, due a last minute addition of the fix to Echo in T420154. The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0 to 8.5 support are particularly welcome, and fixes will be back-ported when possible. If you find issues that haven't been backported, please report these too, referring to the relevant supported release. PHP 8.x workboards: * https://phabricator.wikimedia.org/tag/php_8.0_support/ * https://phabricator.wikimedia.org/tag/php_8.1_support/ * https://phabricator.wikimedia.org/tag/php_8.2_support/ * https://phabricator.wikimedia.org/tag/php_8.3_support/ * https://phabricator.wikimedia.org/tag/php_8.4_support/ * https://phabricator.wikimedia.org/tag/php_8.5_support/ As a reminder, MediaWiki 1.39 became EOL in December 2025 and MediaWiki 1.42 became EOL in June 2025. == Security fixes == * (T384147, CVE-2026-34092) SECURITY: Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP. * (T410429, CVE-2026-34088) SECURITY: RecentChanges entries expose suppressed content via generated log page html. * (T411305, CVE-2026-34091) SECURITY: User localization leaked by AbuseFilter + EventStream. * (T411366, CVE-2026-34090) SECURITY: Suggested investigations: Handle suppressed usernames. * (T412061, CVE-2026-34087) SECURITY: Users API leaks whether privileged users have their user groups disabled for lack of 2FA. * (T414547, CVE-2026-34093) SECURITY: Special:UserRights allows viewing user rights from private wiki. * (T415584, CVE-2026-34086) SECURITY: AbuseFilter misuses ::userCanBitfield, exposing access-controlled information. * (T416090, CVE-2026-34094) SECURITY: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix. * (T419168, CVE-2026-34089) SECURITY: Memory leak in Scribunto causes runJobs.php to run out of memory. * (T419192, CVE-2026-34095) SECURITY: action=raw with Special:Mypage subpage title responds with "Content-Type) SECURITY: text/html" on ctype=text/javascript request. * (T420154, CVE-2026-5266) SECURITY: Notifications (Echo) API can be used by any OAuth tool. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T384147 * https://phabricator.wikimedia.org/T410429 * https://phabricator.wikimedia.org/T411305 * https://phabricator.wikimedia.org/T411366 * https://phabricator.wikimedia.org/T412061 * https://phabricator.wikimedia.org/T414547 * https://phabricator.wikimedia.org/T415584 * https://phabricator.wikimedia.org/T416090 * https://phabricator.wikimedia.org/T419168 * https://phabricator.wikimedia.org/T419192 * https://phabricator.wikimedia.org/T420154 == Release notes == Full release notes for 1.43.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOTES-1.43 https://www.mediawiki.org/wiki/Release_notes/1.43 Full release notes for 1.44.4: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_44/RELEASE-NOTES-1.44 https://www.mediawiki.org/wiki/Release_notes/1.44 Full release notes for 1.45.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_45/RELEASE-NOTES-1.45 https://www.mediawiki.org/wiki/Release_notes/1.45 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip Patch to previous version (1.43.6): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.7.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.7.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip Patch to previous version (1.44.3): https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-core-1.44.4.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.zip.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.44/mediawiki-1.44.4.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip Patch to previous version (1.45.1): https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-core-1.45.2.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.zip.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.45/mediawiki-1.45.2.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html
_______________________________________________ MediaWiki-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
