MediaWiki 1.40.3
3 April 2024
MediaWiki version 1.40.3 is now available (security release).
Upgrading to MediaWiki 1.40.3
MediaWiki 1.40.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.40.3 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.40.3
This is a security and maintenance release of the MediaWiki 1.40 branch.
Security
- (CVE-2024-PENDING) XSS in edit summary parser.
- (CVE-2024-PENDING) Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.
Bug Changes and Fixes
- Localisation updates.
- CategoryViewer::getSectionPagingLinks: Fix null array offset warning.
- CategoryViewer: Fix "count(): Argument #1 ($value) must be of type Countable|array, null given".
- Headings in the license pickers should not be selected.
- ActiveUsersPager: Count actions only once.
- composer: Use @php instead of php.
- Indent JsonContent using tabs.
- mime: Add support for 'font/woff' and 'font/woff2' mime type.
- Update wikimedia/parsoid to 0.17.3.
- authmanager: Improve AuthenticationRequest docs.
- ForeignResourceManager: Add trailing newline in validateLicense.
- Add missing space in Special:RecentChangesLinked.
- composer.json Add ext-bcmath and ext-gmp to suggests.
- PHPVersionCheck: Update text to match currently supported upstream PHP versions (8.1+).
- API: mark HTML output as non-cacheable.
- filerepo: Fix img_major_mime for files with a non-standard extensions.
- MimeAnalyzer: Add @since to isValidMajorMimeType.
- ZhConverter: Fix language variant fallback chain.
- Parser::getExternalLinkAttribs: Don't set rel attribute to null.
- LockManagerGroupIntegrationTest: Remove test depending on DBLockManager.
- LinkRendererTest: Add missing import for LinkTarget.
- ApiResetPassword: Allow both user and email parameters to be passed for reset.
- updateCollation: Explicitly cast $scale to int.
- api: Improve linking of language codes lists in top level i18n messages.
- Make sure MovePage::isValidFileMove matches UploadBase::getTitle.
- Respect $maxConcurrency when queuing async FileOps.
- Follow-up "ZhConverter: Fix language variant fallback chain".
- Restore ability to disable footer links with "-".
- build: Restore Doxygen output for MediaWiki release tags.
- HistoryPager: Add #[AllowDynamicProperties].
- Update Apache config syntax in .htaccess files.
- mime: Make test cases use data provider.
- Mark some parserTests on talk pages Parsoid only on REL1_40.
- Update wikimedia/parsoid to 0.17.4.
- docs: Remove use of $IP from mwdocgen.php.
- build: Restore Doxygen output for MediaWiki release tags .
- docs: Set stable permalink on markdown files.
- allow maintenance/deleteBatch.php to accept page ID.