????
Your IP : 216.73.216.102
== MediaWiki 1.39.15 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.14 ===
* Fixup VisualEditor related backports.
* (T406322, CVE-2025-11261) SECURITY: Escape system messages in
mw.language.listToText.
== MediaWiki 1.39.14 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.13 ===
* Localisation updates.
* (T399672) mime: Add mime types for *.less.
* ParserCacheSerializationTestCases: back port ParserOutput changes from 1.45.
* ParserCacheSerializationTestCases: distinguish empty ToC from missing ToC.
* Fix attachLatest --regenerate-all creating invalid SQL command.
* (T322099) Make RequestContext::sanitizeLangCode() accept null.
* (T380456) exception: Avoid service container init in exception handler.
* diff: Avoid Phan warning with some Wikidiff2 versions.
* (T387408) exception: Skip use of HookRunner when not autoloaded.
* (T327439) ParserOutput: Prepare to allow JsonCodec serialization of TOCData.
* media: Remove pass-by-ref in Exif::exifGPStoNumber.
* (T386208) Exif: Handle malformed gps tags.
* i18n: Add Special:MyLanguage to mediawiki.org links.
* (T380423) Show user a human readable message when $wgLocaltimezone is set to
an invalid timezone.
* (T374042) PostgresUpdater: Fix typo in sites_group index renaming instruction.
* (T401570) rdbms: Fix read-only detection for MariaDB 12.
* (T400881) filerepo: Improve identification of ForeignAPIRepo requests.
* (T402037) config: Change Reauthenticate Time Default.
* SimpleParsoidOutputStash: protect against rollback from MW >= 1.43.
* (T401099, CVE-2025-61638) Upgrading wikimedia/parsoid (v0.16.5 => v0.16.6).
* (T394968) Metadata: ignore LocationCreated, similar to LocationShown.
* (T304428) Allow marking recent changes about logged actions with bot flag.
* (T400505) Regenerate patch-drop-page_restrictions-pr_user.sql for SQLite.
* (T401099, CVE-2025-61638) SECURITY: Sanitize data- attributes.
* (T280413, CVE-2025-61639) SECURITY: Use ManualLogEntry::getDeleted in
::getRecentChange.
* (T402075, CVE-2025-61640) SECURITY: Parse messages instead of inserting
them as HTML.
* (T298690, CVE-2025-61641) SECURITY: api: Disable maxsize in QueryAllPages
in miser mode.
* (T403757, CVE-2025-61643) SECURITY: Don't send suppressed recent changes to
RCFeeds.
* (T398706, CVE-2025-61646) SECURITY: Prevent leaking hidden usernames in
Watchlist/RecentChanges.
== MediaWiki 1.39.13 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.12 ===
* Localisation updates.
* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
* (T391867) http: Handle accept header with incomplete q.
* Update Pingback address.
* (T393879) objectcache: Cast explicitly to integer.
* (T394989) FormatMetadata::formatFraction: Don't risk passing null to
preg_match.
* (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
* (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string.
* (T221560) Remove hyphens from legal search characters for MySQL-based database
searches.
* ParserCache forward-compatibility: anticipate removal of OutputHooks.
* Protect against ParserOutput/CacheTime re-namespacing.
* ParserCache forward-compatibility: anticipate removal of TOCHTML.
* SerializationTestUtils: handle 1.xx_wmf* versions; don't fail immediately.
* AuthManager: Be consistent about the remember flag on autocreate.
* (T397883, T397643) htmlform: fix min/max validations on empty input in
int/float fields.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField
validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
action=feedcontributions.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid
'format' is provided.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for
reauthentication.
== MediaWiki 1.39.12 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.11 ===
* Localisation updates.
* (T380755) session: Do not set session.use_trans_sid.
* (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment
in the "Configuration changes for system administrators" section.
* (T382484) dumps: Use proc_close() to close proc_open() subprocess.
* (T315202) Account for null values in Exif data.
* (T384879) FormatMetadata: Prevent running preg_match() on null.
* (T384995) specialpage: Improve handling of invalid lang codes on login/signup.
* (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string.
* (T319219) Fix Site::getPath() + MediaWikiSite::getFileUrl() confusion.
* (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8.
* (T379125) exception: Suppress dependency loop exception.
* (T381033) RateLimiter: Fix peek mode.
* (T387130, CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.16.5.
* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error.
* (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in
value if applicable.
* (T388296) ImportImages: Exit with non-zero code if import fails.
* Request: Improve log message when headers already sent.
* (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints.
* (T388171) HttpError: Cast Message to string.
* (T388255) ApiLogin: Don't break BotPasswords if password or user is blank,
just error.
* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same
anti-null fix as 270499b.
* (T387690) upload: Suppress warnings from iconv().
* (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert
action.
* (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/
preg_replace.
* (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0.
* (T368921) ResourceLoader: Set "math=always" before Less.php 5.0 upgrade.
* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1
($haystack).
* In .htaccess deny files, use "Satisfy All".
* (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK().
* permissions: Check cascade protection only if page can exists.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
functions do not correctly enforce suppression restrictions,
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
== MediaWiki 1.39.11 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.10 ===
* Localisation updates.
* (T377450) [DatabaseUpdater] Don't interact with updatelog on virtual domains.
* (T377916) specials: Avoid passing null to str_replace().
* (T378006, T372500) AutoLoader: Use require_once rather than require.
* (T378304) GlobalIdGenerator: Update str_getcsv() call for PHP 8.4.
* Upgrade php-session-serializer from 2.0.1 to 3.0.0.
* Upgrade xmp-reader from 0.8.6 to 0.9.2.
* (T372569) installer: Consistently use double quotes when outputting settings.
* (T362829) Correct range error in regexp of formatmetadata.
* (T381068) ButtonAuthenticationRequest: Add AllowDynamicProperties directive.
== MediaWiki 1.39.10 ==
This is a maintenance release of the MediaWiki 1.39 branch.