MediaWiki 1.37.2
1 April 2022
MediaWiki version 1.37.2 is now available (security release).
Upgrading to MediaWiki 1.37.2
MediaWiki 1.37.2 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.37.2 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.37.2
Security
- CVE-2022-28202 properly escape output used within galleries and Special:RevisionDelete.
- CVE-2022-28201 Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.
- CVE-2022-28203 Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.
- CVE-2022-28204 Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.
Bug fixes and Changes
- Fix support for Composer 2.2.
- composer.json: Add wikimedia/composer-merge-plugin to allow-plugins.
- Update doctrine/dbal (3.0.0 => 3.1.5).
- Add entry point name to disabled Session exception if possible.
- MemcachedClient: Add support for IPv6.
- WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode.
- Suppress deprecation warnings from libxml_disable_entity_loader().
- Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest.
- Fix PHP 8.0 failure of WikiExporterFactoryTest.
- objectcache: Avoid getCurrentTime() call in MapCacheLRU::has().
- objectcache: split up MapCacheLRU::getAge() to avoid conditional overhead.
- Fix the json schema and the extension processor for Parsoid extension modules.
- update.php: Avoid passing null to substr.
- (T195807, T256401) Fix signature of DatabasePostgres::buildGroupConcatField.
- In PHP 8.1 don't throw exceptions from mysqli.
- SiteConfiguration: Don't pass null to str_replace().
- Fix deprecation warning from CURLPIPE_HTTP1.
- Stop using is_resource() where possible.
- Apply ReturnTypeWillChange to various implementations of built in interfaces.
- Implement __serialize/__unserialize for PHP 8.1 support.
- ExtensionRegistry: Add process cache for lazy attributes.
- ApiPageSet: Add "missing": true to missing revisions.
- Allow ParsoidModules extension schema to register services.
- SpecialUndelete: Do not show empty comments as deleted.
- Allow setting max execution time to several special pages.
- LinkCache: Try invalidating cache before throwing.
- composer.json: Add ext-calendar to require.
- composer.json: Add ext-simplexml to require-dev.
- composer.json: Add various PHP extensions to suggests.
- Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
- Don't re-check "Move subpages" on Special:MovePage after a warning.
- listFiles: Display file name instead of version.
- Fix @since of Title::getId().
- Installer: Check correct PCRE_CONFIG_NEWLINE value.
- wrapOldPasswords: add \n to two output calls.