OwlCyberSecurity - MANAGER

Edit File: changelog.txt

== MediaWiki 1.43.1 ==

This is a security and maintenance release of the MediaWiki 1.43 branch.

=== Changes since MediaWiki 1.43.0 ===
* Localisation updates.
* (T375707) exception: Convert E_STRICT errors to E_USER_NOTICE.
* (T380755) session: Do not set session.use_trans_sid.
* (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment
  in the "Configuration changes for system administrators" section.
* (T383037) MimeMap: add gltf and glb mime types.
* (T383037) MimeAnalyzer: detect magic number for gltf binary.
* Commit swagger-ui's NOTICE.
* (T382484) dumps: Use proc_close() to close proc_open() subprocess.
* (T375707) MWExceptionHandler: Add error suppression to constant( 'E_STRICT' ).
* (T384879) FormatMetadata: Prevent running preg_match() on null.
* (T384995) specialpage: Improve handling of invalid lang codes on login/signup.
* (T385055) resourceloader: Fix hash computation for virtual files with
  versionFilePath.
* (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string.
* (T385567) parser: Gracefully handle invalid ParsoidRenderID keys.
* (T385568) rest: Return a 400 for invalid render IDs.
* (T383646) installer: Simplify the information box.
* (T384524) installer: Fix conflation between warning and info messages.
* (T376711) language: Use fallback chain to create NumberFormatter.
* (T384524) installer: Restore success messages.
* (T384524) installer: Restore "complete" success message.
* (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8.
* (T386891) Revert "maintenance: Use DatabaseSqlite for type-hinting instead of
  DBConnRef".
* (T381205) Add explanation text for "Allow emails from brand-new users".
* (T380880) ExternalLinks: fix mailto: links reversal.
* (T381033) RateLimiter: Fix peek mode.
* initEditCount: Join from user to actor to revision.
* (T387130,CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.20.2.
* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error.
* (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in
  value if applicable.
* (T388296) ImportImages: Exit with non-zero code if import fails.
* Request: Improve log message when headers already sent.
* (T386368, T387397) REST page metadata endpoints: handle supressed data
  gracefully.
* (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints.
* (T388171) HttpError: Cast Message to string.
* (T384197) permissions: Avoid potential infinite loop if BlockDisablesLogin =
  true.
* (T388255) ApiLogin: Don't break BotPasswords if password or user is blank,
  just error.
* (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/
  preg_replace.
* (T388944) Html: Fix "substr(): Passing null to parameter #1 ($string) of type
  string is deprecated".
* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same
  anti-null fix as 270499b.
* (T387690) upload: Suppress warnings from iconv().
* (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
* (T315573) Fix GREATEST usage in site_stats.
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert
  action.
* (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
  Differentiate between cascading protection of file content and file pages.
* (T387507) ResourceLoader: update wikimedia/minify from 2.8.0 to 2.8.1.
* (T388273, T388335) Upgrading pear/net_url2 (v2.2.2 => v2.2.3).
* (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0.
* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1
  ($haystack).
* (T378622) Parameterize ChangeTags::buildTagFilterSelector to support various
  tag sets.
* (T344352) ChangeTags: Optimize label and description parsing.
* In .htaccess deny files, use "Satisfy All".
* (T322672, T387478) REST: Remove unused setUseParserCache() as potential
  footgun.
* (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK().
* (T388807) LanguageConverter: Only set mTablesLoaded once they're really
  loaded.
* RestrictionStore: Remove short-circuit mode when fetching cascading sources.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
  functions do not correctly enforce suppression restrictions.
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
  enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
  HTMLMultiSelectField when sections are used.
  
= MediaWiki 1.43 =

=== Changes since MediaWiki 1.43.0-rc.0 ===
* (T381728) Use PHP 8.3 in MediaWiki-Docker
* (T382375) Misaligned label margins on Special:MathStatus
* (T382196) \overbrace rendered below (not above) in MathML and client-side
  Mathjax
* (T381310) Math Popup not working in newer version of Popup-Extension
* (T380079) This page is using the deprecated ResourceLoader module
  "mediawiki.Uri" on page load
* (T381311) Preview has wrong location in MathML mode
* (T381046) Preview not working with MathML rendering
* (T381102) <math>\left(a\right)'</math> in MathML and MathJax renders
  with one prime symbol too much
* (T380184) <math>\operatorname{vec}</math> crashes with native MathML
* (T380654) vertical space between multline equations is ignored
* (T375274) mediawiki_function_names math functions eat the following paren in
  native MML mode
* (T373732) Audit SUL3 shared-domain i18n messages for XSS
* (T381068) PHP Deprecated: Creation of dynamic property
  MediaWiki\\Auth\\ButtonAuthenticationRequest::$skipReset is deprecated
  at AuthenticationRequest.php:182
* (T20110) Define AbuseFilter consequence to display a CAPTCHA
* (T332743) On private wikis the ellipsis should not appear above 720px
  (wikitech, office, translate wiki)

== MediaWiki 1.43.0-PRERELEASE ==

== Upgrading notes for 1.43 ==
Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed per-version upgrade instructions from the
oldest supported upgrading version, MediaWiki 1.35.

Some specific notes for MediaWiki 1.43 upgrades are below:

* It is now necessary that the OpenSSL PHP extension is installed.
* update.php updates the Linter database table with two migration scripts that
  can take a long time to run: with the provided settings, each migration
  script update roughly 500 rows per second. If at all possible, it is
  highly recommended to let update.php run these migration scripts.

If this is deemed too long a maintenance operation (depending on the number
  of rows in the Linter database table), it is possible, for a upgrade from
  1.40 onwards, to run the migration scripts before updating the MediaWiki
  and extensions files to 1.43. Set $wgLinterWriteNamespaceColumnStage and
  $wgLinterWriteTagAndTemplateColumnsStage to true, and run the
  extensions/Linter/maintenance/migrateNamespace.php and
  extensions/Linter/maintenance/migrateTagTemplate.php migration scripts
  before proceeding with any other code update.
  When upgrading from a version <= 1.39, a multi-step update is necessary to
  be able to run the migration scripts independently from update.php: first
  update to 1.42, then proceed as indicated.