[MediaWiki-announce] MediaWiki 1.42 is End of Life
by Sam Reed
As per the MediaWiki version lifecycle[1], I would like to announce the
formal end of life (EOL) of MediaWiki 1.42 as of Monday June 30, 2025.
1.42.7 is expected to be the last release for this branch.
This means that MediaWiki 1.42 will no longer receive maintenance or
security backports. It is therefore strongly discouraged that you continue
to use it.
It is recommended to upgrade either to the next LTS, 1.43, which will be
supported until December 2027, or to the soon to be released MediaWiki
1.44, which will be supported until at least June 2026.
Thanks!
[1] https://www.mediawiki.org/wiki/Version_lifecycle
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce(a)lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave(a)lists.wikimedia.org
3 Monate, 2 Wochen
[MediaWiki-announce] Security and maintenance release: 1.39.13 / 1.42.7 / 1.43.2
by Sam Reed
I would like to announce the release of MediaWiki 1.39.13, 1.42.7 and 1.43.2!
These releases serve as security and maintenance releases for these branches.
The tarballs have already been uploaded as of this email, and the git
tags will be pushed shortly.
A "MediaWiki Extensions Security Release Supplement" e-mail will
follow this one, covering security updates for non-bundled extensions.
Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are
particularly welcome, and fixes will be back-ported when possible.
As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP
8.0 and 8.1 may have been backported to applicable releases. If you
find issues that haven't been backported, please report these too,
referring to the relevant supported release.
Please see https://phabricator.wikimedia.org/tag/php_8.0_support/,
https://phabricator.wikimedia.org/tag/php_8.1_support/,
https://phabricator.wikimedia.org/tag/php_8.2_support/,
https://phabricator.wikimedia.org/tag/php_8.3_support/ and
https://phabricator.wikimedia.org/tag/php_8.4_support/ for the
relevant work boards.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December
2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became
EOL in December 2024.
MediaWiki 1.39 (old LTS) becomes EOL in November 2025.
MediaWiki 1.42 becomes EOL, today, June 30, 2025. A separate email will follow.
It is strongly recommended to upgrade to 1.43 (the next LTS after
1.39), which will be supported until December 2027.
== Security fixes ==
* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
* (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing
suppressed users.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in
HTMLUserTextField validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
action=feedcontributions.
* (T391218, CVE-2025-6592) SECURITY: Creating a permanent account from
a temporary account associates temp username and IP address with real
username in AbuseLog.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS
when invalid 'format' is provided.
* (T394863, CVE-2025-6595) SECURITY: Stored XSS through system
messages in MultimediaViewer.
* (T396685, CVE-2025-6596) Vector inserts portlet labels as HTML,
allowing for stored XSS through system messages.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as
login for reauthentication.
* (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the
reauth flag on login.
* (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when
bl_deleted=1.
* (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via
autoblocks of those users.
== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T31856
* https://phabricator.wikimedia.org/T386175
* https://phabricator.wikimedia.org/T389009
* https://phabricator.wikimedia.org/T389010
* https://phabricator.wikimedia.org/T391218
* https://phabricator.wikimedia.org/T391343
* https://phabricator.wikimedia.org/T392276
* https://phabricator.wikimedia.org/T392746
* https://phabricator.wikimedia.org/T394863
* https://phabricator.wikimedia.org/T395063
* https://phabricator.wikimedia.org/T396230
* https://phabricator.wikimedia.org/T396685
* https://phabricator.wikimedia.org/T397595
== Release notes ==
Full release notes for 1.39.13:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOT...
https://www.mediawiki.org/wiki/Release_notes/1.39
Full release notes for 1.42.7:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOT...
https://www.mediawiki.org/wiki/Release_notes/1.42
Full release notes for 1.43.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOT...
https://www.mediawiki.org/wiki/Release_notes/1.43
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip
Patch to previous version (1.39.12):
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar....
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip...
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip
Patch to previous version (1.42.6):
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.g...
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip
Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip
Patch to previous version (1.43.1):
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.g...
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip.sig
Public keys:
https://www.mediawiki.org/keys/keys.html
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce(a)lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave(a)lists.wikimedia.org
3 Monate, 2 Wochen
Planmäßige Wartung Mittwochnacht: Kubernetes Updates
by erp@infra.run
Sehr geehrte Nutzer:innen von infra.run-Dienstleistungen,
diesen Mittwoch, den 02.07.2025, werden wir in der Zeit von 22:00 bis max. 04:00 Uhr des Folgetages planmäßige Wartungsarbeiten durchführen.
Diese sind erforderlich, um unsere Software und Infrastruktur auf dem aktuellen Stand zu halten.
In dieser Zeit können einzelne Dienste kurzzeitig nicht zur Verfügung stehen. Nach Ende der Wartungsarbeiten stehen Ihnen unsere Dienste wie gewohnt in vollem Umfang bereit.
Für Fragen stehen wir jederzeit gerne zur Verfügung.
Mit freundlichen Grüßen
Leonie Hannig
infra.run Service GmbH - Holzmarktstraße 25 10243 Berlin
Handelsregister: Amtsgericht Charlottenburg HRB 225307 B
Steuernummer: 37/358/53120 Ust-IdNr: DE340100821
Geschäftsführer*innen: Leonie Hannig, Markus Otto, Andreas Steinhauser
3 Monate, 3 Wochen
[MediaWiki-announce] Security pre-release announcement: 1.39.13 / 1.42.7 / 1.43.2
by Sam Reed
Hi all,
On Monday we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.39.13
- 1.42.7
- 1.43.2
This will also resolve security issues in bundled extensions, along with
bug fixes included for maintenance reasons.
These security issues also affect many unsupported versions of MediaWiki.
We will make the fixes available in the respective release branches and
master in git. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow later.
As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023,
MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in
December 2024.
MediaWiki 1.42 becomes EOL at the end of June 2025.
MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in November 2025.
It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39),
which will be supported until December 2027.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
_______________________________________________
MediaWiki-announce mailing list -- mediawiki-announce(a)lists.wikimedia.org
To unsubscribe send an email to mediawiki-announce-leave(a)lists.wikimedia.org
3 Monate, 3 Wochen
GitLab Patch Release: 18.1.1, 18.0.3, 17.11.5
by GitLab Security Team
To view this email as a web page, go to the following address: https://page.gitlab.com/index.php/email/emailWebview?mkt_tok=MTk0LVZWQy0y...
Today we are releasing versions 18.1.1, 18.0.3, 17.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important security fixes and <strong>we strongly recommend that all GitLab installations be upgraded to one of these versions immediately</strong>. You can see details in this patch release blog post <https://about.gitlab.com/releases/2025/06/25/patch-release-gitlab-18-1-1-...>.
Please forward this alert to appropriate people at your organization and have them subscribe to Security Notices <https://about.gitlab.com/company/contact/>. You can also receive security blog updates by subscribing to our patch release RSS feed <https://about.gitlab.com/security-releases.xml> or our RSS feed for all GitLab releases <https://about.gitlab.com/all-releases.xml>.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our security FAQ <https://about.gitlab.com/security/faq/>.
You can see all of GitLab release blog posts here <https://about.gitlab.com/releases/categories/releases/>.
Sincerely,
GitLab Security Team
GitLab 268 Bush Street, #350, San Francisco, CA 94104, USA
This email was sent to topf(a)zapf.in. You may unsubscribe <[[https://page.gitlab.com/UnsubscribePage.html?mkt_unsubscribe=1&mkt_tok=MT...]]> anytime from GitLab's marketing emails but you will still receive operational emails related to your account. Please note that security(a)gitlab.com is an unmonitored email address.
3 Monate, 3 Wochen
Undelivered Mail Returned to Sender
by MAILER-DAEMON@zapf.in
This is the mail system at host mail.zapf.in.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<topf(a)zapf.in>: host 127.0.0.1[127.0.0.1] said: 550 No Message-ID header
provided (in reply to end of DATA command)
3 Monate, 3 Wochen
gremien@zapf.in post from rubnee@uni-bremen.de requires approval
by gremien-owner@zapf.in
As list administrator, your authorization is requested for the
following mailing list posting:
List: gremien(a)zapf.in
From: rubnee(a)uni-bremen.de
Subject: Abschaltung des Legacy-Systems
The message is being held because:
The message is not from a list member
At your convenience, visit your dashboard to approve or deny the
request.
3 Monate, 3 Wochen
orgas@zapf.in post from stapf@zapf.in requires approval
by orgas-owner@zapf.in
As list administrator, your authorization is requested for the
following mailing list posting:
List: orgas(a)zapf.in
From: stapf(a)zapf.in
Subject: Einladung zur 2ten Sitzung des 23,6ten StAPFes
The message is being held because:
The message is not from a list member
At your convenience, visit your dashboard to approve or deny the
request.
3 Monate, 4 Wochen
