Update Feed

MediaWiki 1.40.1

2 October 2023

MediaWiki version 1.40.1 is now available (security release).

Upgrading to MediaWiki 1.40.1

MediaWiki 1.40.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.40.1 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron

What's New in MediaWiki 1.40.1

Security

(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.
(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.
(T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.
(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration).

Bug Fixes and Changes

Localisation updates.
docs: Fix a few typos in MainConfigSchema.
(T290464) Add DiscussionTools bundling to release notes.
(T309714) mime: Add support for 'font/sfnt' mime type.
(T341434) WikiImporter: Improve error message output.
(T341737) ApiBase: Cast $id to string in filterIDs.
(T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively.
(T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer.
(T237898) installer: Check MariaDB version in updater/installer.
(T342632) ApiComparePages: Add help url.
(T326182, T324903) EditPage: Add #[AllowDynamicProperties].
(T342351) rdbms: Fix postgres db function call.
(T343675) user: Use {@} to escape annotation when writting about annotation.
(T343797) LanguageWa: Fix double timezone adjustment.
(T343669) skins: Avoid function call on array.
(T326454) Update pear/mail to 1.5.1.
(T343622) docs: Set the <comment> tag back to optional.
(T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
Updated jQuery from v3.6.1 to v3.7.1.
(T337463) wdio-mediawiki: await saveScreenshot.
(T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively.
doc: Improve description of "type" in extension.schema.v2.json.
Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above).
(T288624) MultiHttpClient: Unset $this->cmh after closing it.
(T345039) Do not run SkinAfterBottomScripts hook twice unconditionally.
(T265734) API Help: Note that parameters may be inherited from other context.
(T285545) i18n: Split apihelp for standard dir parameter.
(T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show.
(T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=.
(T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=.
(T285545) i18n: Split apihelp for parameter action=opensearch&redirects=.
(T285545) i18n: Split apihelp for parameter action=managetags&operation=.
(T285545) api: Add message for list=watchlist&wlprop=expiry.
(T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed.
(T342633) api: Add message for action=compare&prop=timestamp.
API: revids=… does not necessarily return the queried revisions.
(T235207) Get correct main page in API call examples.
doc: Make extension.schema.v2.json a valid JSON schema.
(T326696) Add since tag to UserOptionsManager::MAX_BYTES_OPTION_VALUE.
updateSpecialPages.php: Avoid implicit float conversion on modulo.
(T347227) ImportReporter: Make callback functions public.
(T346898) importDump: Unconditionally call $importer->setUsernamePrefix().
doc: Improve description of type in extension.schema.v1.json.