[TOPF] [MediaWiki-announce] Security and maintenance release: 1.35.7 / 1.37.3 / 1.38.2

I would like to announce the release of MediaWiki 1.35.7, 1.37.3 and 1.38.2! There was no pre-release announcement as the security fixes being included are low risk XSS vulnerabilites that aren't exploitable in the default MediaWiki config. The patches have also been committed to git for a while. These releases also serve as a maintenance release for these branches. While tarballs have already been uploaded as of this e-mail, git tags will follow later on today. An "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. T308473 only applies to MediaWiki > 1.35. Therefore the fix has not been back-ported to 1.35. T309377 only applies to MediaWiki 1.35 due to having guzzlehttp/guzzle 6.5.5. MediaWiki >= 1.36 already had been upgraded to guzzlehttp/guzzle to 7.2. The patch for MediaWiki 1.35 in T309377 was superseded by the subsequent guzzlehttp/guzzle update in T311384. Various patches aimed at PHP 8.0 and PHP 8.1 support have been backported. This should fix a lot of log spam, and MediaWiki should work on both versions. Bug reports on PHP 8.0 and 8.1 are very welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/ and https://phabricator.wikimedia.org/tag/php_8.1_support/ for the relevant work boards. == Security fixes == * (T308471) Username is not escaped in the "welcomeuser" message. * (T308473) Username not escaped in the contributions-title message. * (T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6. * (T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T308471 * https://phabricator.wikimedia.org/T308473 * https://phabricator.wikimedia.org/T309377 * https://phabricator.wikimedia.org/T311384 == Release notes == Full release notes for 1.35.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.35 Full release notes for 1.37.3: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_37/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.37 Full release notes for 1.38.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.38 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip Patch to previous version (1.35.6): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.tar.g... https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.7.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.7.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip Patch to previous version (1.37.2): https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.tar.g... https://releases.wikimedia.org/mediawiki/1.37/mediawiki-core-1.37.3.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.zip.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.37/mediawiki-1.37.3.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip Patch to previous version (1.38.1): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.tar.g... https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.2.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.2.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ MediaWiki-announce mailing list -- mediawiki-announce(a)lists.wikimedia.org To unsubscribe send an email to mediawiki-announce-leave(a)lists.wikimedia.org