Mailing List Archive

Security and maintenance release: 1.35.12 / 1.39.5 / 1.40.1
I would like to announce the release of MediaWiki 1.35.12, 1.39.5 and

These releases also serve as a maintenance release for these branches.

The tarballs have already been uploaded as of this email, and the git tags
have been pushed.

Unfortunately at the time of finalising this release, none of our CVEs have
been assigned a tracking number by MITRE. To get these releases out as
detailed in the pre-release announcement, they are therefore documented as
"CVE-2023-PENDING" here and in the commit messages of the commits that will
be pushed. The related tasks will be updated in retrospect when the CVEs
are issued, and we will also amend the RELEASE-NOTES files. They will then
be retrospectively correctly documented in the next releases, and in
HISTORY in the master branch of MediaWiki core.

Two of the referenced tasks and their applicable security fixes were not
counted in the pre-release announcement.

Notes about specific CVEs:

T333050 was merged in public after the 1.35.11/1.38.7/1.39.4 and 1.40.0

T264765 was merged in public before the 1.39.5/1.40.1 releases, and would
affect 1.36 onwards.

T340217 only applies to Vector 2022 in 1.40.

T340220 would affect 1.38 onwards, but is not being fixed in 1.38 due to
that branch being unsupported since June 2023.

T340221 and T341529 are applied to all supported branches, but would also
affect numerous unsupported branches.

T341565 against CVE-2023-3550 was made public on a third party platform
before the reporters' own timeline (as disclosed to the Wikimedia
Foundation), and also without approval from ourselves.

MediaWiki provides no support for displaying/rendering these XML files.
MediaWiki in a default configuration is not vulnerable to this issue; 'xml'
would have had to be added to '$wgFileExtensions' in LocalSettings.php.

It continues to be strongly recommended not to enable uploading XML files
(via Special:Upload etc.; not via Special:Import). SVG files are not

If you need to allow XML file upload (for some reason), you will now have
to remove 'xml' from '$wgProhibitedFileExtensions' and the xml entries from
'$wgMimeTypeExclusions' (in 1.35, from '$wgFileBlacklist' and
'$wgMimeTypeBlacklist' respectively). While it is strongly not recommended
to enable the upload of XML files, if you need to allow this for some
reason, it is very much strongly suggested you only allow uploads from
users that you trust, and that they only upload files from trusted sources.

See$wgProhibitedFileExtensions and$wgProhibitedFileExtensions for more
information about how these mechanisms work.

A "MediaWiki Extensions Security Release Supplement" e-mail will follow
this one, covering security updates for non-bundled extensions.

Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been

Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly
welcome, and fixes will be back-ported when possible. Please see,, and for the relevant
work boards.

As a reminder, when 1.35 was released, it was originally due to become end
of life (EOL) at the end of September 2023. Due to 1.39 being released late
(November 2022), and to honor the commitment to the 1 year overlap of
MediaWiki LTS releases, this formal EOL process is being delayed till at
least the end of November 2023.

In practice, this may become sometime in December 2023, to coincide with
the security and maintenance release for this quarter. A formal EOL
announcement will come in advance

It is therefore expected that 1.35.13 in December 2023 will become the
final release for the 1.35 branch.

It is noted that support and CI for 1.35 is becoming more limited;
backports are being done on a best effort basis. Browser testing has been
dropped for 1.35 in Wikimedia CI, due to the difficulties to support this.

It is strongly recommended to upgrade to 1.39 (the next LTS after 1.35),
which will be supported until November 2025, or 1.40, which will be
supported until June 2024.

== Security fixes ==

* (T264765, CVE-2023-PENDING) SECURITY: Users without correct permission
are incorrectly shown MediaWiki:Missing-revision-permission.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped
messages leading to potential XSS.
* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page
message is assumed to yield a valid title.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X
intermediate revisions by the same user not shown") ignores username
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
file to Special:Upload (non-standard configuration).

== Links to all mentioned tasks ==


== Release notes ==

Full release notes for 1.35.12:

Full release notes for 1.39.5:

Full release notes for 1.40.1:

For information about how to upgrade, see


Download without bundled extensions:

Patch to previous version (1.35.11):

GPG signatures:

Public keys:


Download without bundled extensions:

Patch to previous version (1.39.4):

GPG signatures:

Public keys:


Download without bundled extensions:

Patch to previous version (1.40.0):

GPG signatures:

Public keys:
MediaWiki-announce mailing list --
To unsubscribe send an email to