diff options
author | Reedy <reedy@wikimedia.org> | 2023-09-27 15:42:19 +0100 |
---|---|---|
committer | Jforrester <jforrester@wikimedia.org> | 2023-09-29 00:59:18 +0000 |
commit | 1e3757f7f2e2a06ccd5c4f962753b8c9abe1fed6 (patch) | |
tree | 6134ad654d1526e5a79b46848b3ae87874f65045 | |
parent | 3986bd96fcdea55fa3b51c7879b7c5a17b463e8c (diff) |
Prep 1.39.51.39.5
Change-Id: I27342036c5ce5ef15531d066a9b6e546a464626c
-rw-r--r-- | RELEASE-NOTES-1.39 | 17 | ||||
-rw-r--r-- | includes/Defines.php | 2 |
2 files changed, 16 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.39 b/RELEASE-NOTES-1.39 index ae9e12ca98f2..889c11260384 100644 --- a/RELEASE-NOTES-1.39 +++ b/RELEASE-NOTES-1.39 @@ -7,11 +7,12 @@ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.39.5 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.4 === * Localisation updates. -* (T333050) Fix infinite loop for self-redirects with variants conversion. +* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects + with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. @@ -61,6 +62,18 @@ THIS IS NOT A RELEASE YET * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). +* doc: Improve description of type in extension.schema.v1.json. +* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped + messages leading to potential XSS. +* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page + message is assumed to yield a valid title. +* (T340221, CVE-2023-PENDING) SECURITY: XSS via + 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. +* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser + ("X intermediate revisions by the same user not shown") ignores + username suppression. +* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted + XML file to Special:Upload (non-standard configuration). == MediaWiki 1.39.4 == diff --git a/includes/Defines.php b/includes/Defines.php index 7cf752a2061a..182c62d04be0 100644 --- a/includes/Defines.php +++ b/includes/Defines.php @@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase; * * @since 1.35 (also backported to 1.33.3 and 1.34.1) */ -define( 'MW_VERSION', '1.39.4' ); +define( 'MW_VERSION', '1.39.5' ); /** @{ * Obsolete IDatabase::makeList() constants |