MediaWiki 1.39.12
11 April 2025
MediaWiki version 1.39.12 is now available (security release).
Upgrading to MediaWiki 1.39.12
MediaWiki 1.39.12 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.39.12 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.39.12
This is a security and maintenance release of the MediaWiki 1.39 branch.
Security
- LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions,
- Potential javascript injection attack enabled by Unicode normalization in Action API.
- i18n XSS vulnerability in HTMLMultiSelectField when sections are used.
Bug Fixes and Changes
- Localisation updates.
- session: Do not set session.use_trans_sid.
- $wgDnsBlacklistUrls now defaults to an empty array. See the comment in the "Configuration changes for system administrators" section.
- dumps: Use proc_close() to close proc_open() subprocess.
- Account for null values in Exif data.
- FormatMetadata: Prevent running preg_match() on null.
- specialpage: Improve handling of invalid lang codes on login/signup.
- MultiUsernameFilter: Don't try to split ids if they're not a string.
- Fix Site::getPath() + MediaWikiSite::getFileUrl() confusion.
- feeds: Fix str_replace() deprecation warnings on PHP 8.
- exception: Suppress dependency loop exception.
- RateLimiter: Fix peek mode.
- SECURITY: Update wikimedia/parsoid to 0.16.5.
- Sanitizer::normalizeWhitespace warn on preg_replace error.
- RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable.
- ImportImages: Exit with non-zero code if import fails.
- Request: Improve log message when headers already sent.
- Avoid trying to load the session user in MW_NO_SESSION endpoints.
- HttpError: Cast Message to string.
- ApiLogin: Don't break BotPasswords if password or user is blank, just error.
- Sanitizer::normalizeSectionNameWhitespace: Apply same
- anti-null fix as 270499b.
- upload: Suppress warnings from iconv().
- Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
- SECURITY: Apply proper restrictions on file revert action.
- MagicWord::replace*: Make sure we don't pass null into preg_match/ preg_replace.
- ResourceLoader: update wikimedia/minify to 2.9.0.
- ResourceLoader: Set "math=always" before Less.php 5.0 upgrade.
- FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1 ($haystack).
- In .htaccess deny files, use "Satisfy All".
- block: Fix DBS::acquireTarget() race using GET_LOCK().
- permissions: Check cascade protection only if page can exists.