[TOPF] [MediaWiki-announce] Security and maintenance release: 1.39.13 / 1.42.7 / 1.43.2

I would like to announce the release of MediaWiki 1.39.13, 1.42.7 and 1.43.2! These releases serve as security and maintenance releases for these branches. The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly. A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. Reports of bugs with PHP 8.0, 8.1, 8.2, 8.3 and 8.4 support are particularly welcome, and fixes will be back-ported when possible. As part of the Wikimedia migration to PHP 8.1, bug fixes affecting PHP 8.0 and 8.1 may have been backported to applicable releases. If you find issues that haven't been backported, please report these too, referring to the relevant supported release. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/, https://phabricator.wikimedia.org/tag/php_8.3_support/ and https://phabricator.wikimedia.org/tag/php_8.4_support/ for the relevant work boards. As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024 and MediaWiki 1.41 became EOL in December 2024. MediaWiki 1.39 (old LTS) becomes EOL in November 2025. MediaWiki 1.42 becomes EOL, today, June 30, 2025. A separate email will follow. It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39), which will be supported until December 2027. == Security fixes == * (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils. * (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing suppressed users. * (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField validation errors. * (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in action=feedcontributions. * (T391218, CVE-2025-6592) SECURITY: Creating a permanent account from a temporary account associates temp username and IP address with real username in AbuseLog. * (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email. * (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid 'format' is provided. * (T394863, CVE-2025-6595) SECURITY: Stored XSS through system messages in MultimediaViewer. * (T396685, CVE-2025-6596) Vector inserts portlet labels as HTML, allowing for stored XSS through system messages. * (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for reauthentication. * (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the reauth flag on login. * (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when bl_deleted=1. * (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via autoblocks of those users. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T31856 * https://phabricator.wikimedia.org/T386175 * https://phabricator.wikimedia.org/T389009 * https://phabricator.wikimedia.org/T389010 * https://phabricator.wikimedia.org/T391218 * https://phabricator.wikimedia.org/T391343 * https://phabricator.wikimedia.org/T392276 * https://phabricator.wikimedia.org/T392746 * https://phabricator.wikimedia.org/T394863 * https://phabricator.wikimedia.org/T395063 * https://phabricator.wikimedia.org/T396230 * https://phabricator.wikimedia.org/T396685 * https://phabricator.wikimedia.org/T397595 == Release notes == Full release notes for 1.39.13: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.39 Full release notes for 1.42.7: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_42/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.42 Full release notes for 1.43.2: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_43/RELEASE-NOT... https://www.mediawiki.org/wiki/Release_notes/1.43 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip Patch to previous version (1.39.12): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.tar.... https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.13.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.13.patch.zip... Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip Patch to previous version (1.42.6): https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.tar.g... https://releases.wikimedia.org/mediawiki/1.42/mediawiki-core-1.42.7.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.zip.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.42/mediawiki-1.42.7.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip Patch to previous version (1.43.1): https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.tar.g... https://releases.wikimedia.org/mediawiki/1.43/mediawiki-core-1.43.2.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.zip.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.2.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ MediaWiki-announce mailing list -- mediawiki-announce(a)lists.wikimedia.org To unsubscribe send an email to mediawiki-announce-leave(a)lists.wikimedia.org