OwlCyberSecurity - MANAGER
Edit File: changelog.txt
== MediaWiki 1.39.12 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.11 === * Localisation updates. * (T380755) session: Do not set session.use_trans_sid. * (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment in the "Configuration changes for system administrators" section. * (T382484) dumps: Use proc_close() to close proc_open() subprocess. * (T315202) Account for null values in Exif data. * (T384879) FormatMetadata: Prevent running preg_match() on null. * (T384995) specialpage: Improve handling of invalid lang codes on login/signup. * (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string. * (T319219) Fix Site::getPath() + MediaWikiSite::getFileUrl() confusion. * (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8. * (T379125) exception: Suppress dependency loop exception. * (T381033) RateLimiter: Fix peek mode. * (T387130, CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.16.5. * (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error. * (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable. * (T388296) ImportImages: Exit with non-zero code if import fails. * Request: Improve log message when headers already sent. * (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints. * (T388171) HttpError: Cast Message to string. * (T388255) ApiLogin: Don't break BotPasswords if password or user is blank, just error. * (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same anti-null fix as 270499b. * (T387690) upload: Suppress warnings from iconv(). * (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace. * (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert action. * (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/ preg_replace. * (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0. * (T368921) ResourceLoader: Set "math=always" before Less.php 5.0 upgrade. * (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1 ($haystack). * In .htaccess deny files, use "Satisfy All". * (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK(). * permissions: Check cascade protection only if page can exists. * (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions, * (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack enabled by Unicode normalization in Action API. * (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in HTMLMultiSelectField when sections are used. == MediaWiki 1.39.11 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.10 === * Localisation updates. * (T377450) [DatabaseUpdater] Don't interact with updatelog on virtual domains. * (T377916) specials: Avoid passing null to str_replace(). * (T378006, T372500) AutoLoader: Use require_once rather than require. * (T378304) GlobalIdGenerator: Update str_getcsv() call for PHP 8.4. * Upgrade php-session-serializer from 2.0.1 to 3.0.0. * Upgrade xmp-reader from 0.8.6 to 0.9.2. * (T372569) installer: Consistently use double quotes when outputting settings. * (T362829) Correct range error in regexp of formatmetadata. * (T381068) ButtonAuthenticationRequest: Add AllowDynamicProperties directive. == MediaWiki 1.39.10 == This is a maintenance release of the MediaWiki 1.39 branch. == MediaWiki 1.39.8 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.7 === * Localisation updates. * tests: Skip failing tests on php8.2 (and make pass). * (T326480) ApiResult: Make array ordering consistent across PHP versions. * (T352789, T287972) build: Raise TestingAccessWrapper from 2.0.0 to 3.0.0. * (T326478) tests: Create new classes to hold dynamic properties in auth tests. * (T326478) tests: Avoid dynamic properties in AuthenticationProvider Test. * (T326466) Introduce and use DynamicPropertyTestHelper. * tests: Skip failing tests on php8.3 (and make pass). * (T352910) tests: Use TestingAccessWrapper::newFromClass in session tests. * (T326478) tests: Avoid dynamic properties in auth tests. * (T326479, T361985) StatusValue: Allow passing arbitrary data to augment result. * tests: Remove dead code from WikiPageDbTest::assertPreparedEditNotEquals. * (T326478) tests: Avoid dynamic properties in SessionManagerTest. * (T361990) Upgrading wikimedia/parsoid (v0.16.3 => v0.16.4). * (T357760) Use i18n strings for truncated subpage message in SpecialMovePage. * ArticleTest: Skip testGetOrSetOnNewProperty() if PHP >= 8.2. * (T361982) Update wikimedia/less.php from 3.1.0 to 3.2.1. * debug: Update PsySH 0.11.1 -> 0.12.3. * (T361991) Fix slash-delimited regex from CLI on maintenence/grep.php. * (T362078) Improve RestAPIAdditionalRouteFiles path expansion. * (T352695) tests: Only set $dbSetup if setupTestDB() ends without throwing. * (T302186) Add title cache for Title::newMainPage(). * objectcache: Fix flaky WANObjectCacheTest::testLockTSESlow case. * (T362272) api: Replace null $httpCode by 0 in ApiBase::dieWithErrorOrDebug. * (T150647, T216682) Make EncryptedPassword work with Argon2Password. * (T327220) Special:ApiHelp: Move widths and floats in CSS to media query. * (T364270) Fix long param names overlapping docs in API help pages. * MaintenanceRunner.php: Add trailing newline to error message. * wrapOldPasswords: Improve progress output and decrease batch size. * (T361367) ApiFeedWatchlist: Fix handling of array parameters. * (T132418) ResourceLoader: Add 1min grace via stale-while-revalidate Cache-Control. * (T366130) EncryptedPassword: Store default parameters as strings. * Name the PagerTools array entries to allow hooks to unset them. == MediaWiki 1.39.7 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.6 === * Localisation updates. * (T334992) Headings in the license pickers should not be selected. * (T353929) ActiveUsersPager: Count actions only once. * composer: Use @php instead of php. * (T326065) Indent JsonContent using tabs. * (T354541) authmanager: Improve AuthenticationRequest docs. * (T355017) Add missing space in Special:RecentChangesLinked. * (T355003) composer.json Add ext-bcmath and ext-gmp to suggests. * PHPVersionCheck: Update text to match currently supported upstream PHP versions (8.1+). * (T354045) API: mark HTML output as non-cacheable. * (T355530) filerepo: Fix img_major_mime for files with a non-standard extensions. * (T355530) MimeAnalyzer: Add @since to isValidMajorMimeType. * (T317489, T319202) Mark some parserTests on talk pages Parsoid only on REL1_39. * (T350594) Update wikimedia/parsoid to 0.16.3. * (T352554) ZhConverter: Fix language variant fallback chain. * (T357668) Parser::getExternalLinkAttribs: Don't set rel attribute to null. * LockManagerGroupIntegrationTest: Remove test depending on DBLockManager. * (T357808) LinkRendererTest: Add missing import for LinkTarget. * (T353305) ApiResetPassword: Allow both user and email parameters to be passed for reset. * (T358949) updateCollation: Explicitly cast $scale to int. * (T359055) api: Improve linking of language codes lists in top level i18n messages. * (T359294) Make sure MovePage::isValidFileMove matches UploadBase::getTitle. * (T230245) Respect $maxConcurrency when queuing async FileOps. * (T352554) Follow-up "ZhConverter: Fix language variant fallback chain". * (T292237, T317451) build: Restore Doxygen output for MediaWiki release tags. * (T324903) HistoryPager: Add #[AllowDynamicProperties]. * (T360850) Update Apache config syntax in .htaccess files. * (T309714, T354274) mime: Add support for 'font/woff' and 'font/woff2' mime type. * (T309714) mime: Make test cases use data provider. * (T331608) installer: Bear with schema drift caused by running old updater. * docs: Remove use of $IP from mwdocgen.php. * (T317451) build: Restore Doxygen output for MediaWiki release tags (take 3). * docs: Set stable permalink on markdown files. * (T357019) allow maintenance/deleteBatch.php to accept page ID. * (T355538 CVE-2024-PENDING) XSS in edit summary parser. * (T357760, CVE-2024-PENDING) Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages. == MediaWiki 1.39.6 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.5 === * Localisation updates. * Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0. * Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0. * (T344912) mail: Encode period (ascii 46) if it appears in encoded email header. * Added symfony/polyfill-php82. * Added symfony/polyfill-php83. * Updated symfony/yaml from 5.4.10 to 5.4.23. * (T329609) ApiQueryLanguageinfoTest: Do not pass a float to setFakeTime. * Updated wikimedia/timestamp from 4.0.0 to 4.1.1. * tests: Provide coverage for StatusValue::__toString. * StatusValue: Improve logging/debug output with multibyte characters. * (T347726, CVE-2023-PENDING) SECURITY: logging: Fix non-escaped messages used in rights log. * Updated wikimedia/parsoid from 0.16.1 to 0.16.2. * (T229992) LocalisationCache: Preserve fallback source language info. * (T275085) Fix logging Status objects to 'authevents' channel. * (T341310) DEVELOPERS.md: mention git clone and WSL. * (T351758) DEVELOPERS.md: reword WSL instructions to include best practices. * (T349115) LocalisationCache: Fix a rare case in fallback source language. * SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated". * maintenance: Add missing parenthesis to SQL in attachLatest.php. * (T353472) maintenance: Fix join condition in DeduplicateArchiveRevId.