diff options
author | Reedy <reedy@wikimedia.org> | 2023-09-27 15:44:59 +0100 |
---|---|---|
committer | Reedy <reedy@wikimedia.org> | 2023-09-29 02:36:33 +0000 |
commit | 292a9f74e9447b760ea593f4586c5268d901cc7f (patch) | |
tree | a48f2e8dd5db5c08800c95b42b43391ea17eff49 | |
parent | 21425b580e0b5517a2db2a52874fc3084e91bd47 (diff) |
Prep 1.40.11.40.1
Change-Id: Ie8fb4e293cad7f0ee3f46bf02424c03564dea601
-rw-r--r-- | RELEASE-NOTES-1.40 | 21 | ||||
-rw-r--r-- | includes/Defines.php | 2 |
2 files changed, 20 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.40 b/RELEASE-NOTES-1.40 index 4d30864ee44e..d7c2db7ce5f7 100644 --- a/RELEASE-NOTES-1.40 +++ b/RELEASE-NOTES-1.40 @@ -1,12 +1,18 @@ = MediaWiki 1.40 = +PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ +PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ +PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ +PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ + == MediaWiki 1.40.1 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.40 branch. === Changes since MediaWiki 1.40.0 === * Localisation updates. -* (T333050) Fix infinite loop for self-redirects with variants conversion. +* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects + with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T290464) Add DiscussionTools bundling to release notes. * (T309714) mime: Add support for 'font/sfnt' mime type. @@ -52,6 +58,17 @@ THIS IS NOT A RELEASE YET * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). +* doc: Improve description of type in extension.schema.v1.json. +* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages + leading to potential XSS. +* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message + is assumed to yield a valid title. +* (T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' + and 'youhavenewmessages' messages. +* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate + revisions by the same user not shown") ignores username suppression. +* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted + XML file to Special:Upload (non standard configuration). == MediaWiki 1.40.0 == diff --git a/includes/Defines.php b/includes/Defines.php index 27cb9de05602..31532fc556a4 100644 --- a/includes/Defines.php +++ b/includes/Defines.php @@ -33,7 +33,7 @@ use Wikimedia\Rdbms\IDatabase; * * @since 1.35 (also backported to 1.33.3 and 1.34.1) */ -define( 'MW_VERSION', '1.40.0' ); +define( 'MW_VERSION', '1.40.1' ); /** @{ * Obsolete IDatabase::makeList() constants |