MediaWiki 1.42.6
11 April 2025
MediaWiki version 1.42.6 is now available (security release).
Upgrading to MediaWiki 1.42.6
MediaWiki 1.42.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.42.6 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.42.6
This is a security and maintenance release of the MediaWiki 1.42 branch.
Bug Fixes and Changes
- Localisation updates.
- language: Use fallback chain to create NumberFormatter.
- feeds: Fix str_replace() deprecation warnings on PHP 8.
- phpunit: Fix bootstrap script when no extensions are installed.
- ExternalLinks: fix mailto: links reversal.
- exception: Suppress dependency loop exception.
- RateLimiter: Fix peek mode.
- SECURITY: Update wikimedia/parsoid to 0.19.2.
- Sanitizer::normalizeWhitespace warn on preg_replace error.
- RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable.
- ImportImages: Exit with non-zero code if import fails.
- Request: Improve log message when headers already sent.
- Avoid trying to load the session user in MW_NO_SESSION endpoints.
- HttpError: Cast Message to string.
- permissions: Avoid potential infinite loop if BlockDisablesLogin = true.
- ApiLogin: Don't break BotPasswords if password or user is blank, just error.
- MagicWord::replace*: Make sure we don't pass null into preg_match/ preg_replace.
- Html: Fix "substr(): Passing null to parameter #1 ($string) of type string is deprecated".
- Sanitizer::normalizeSectionNameWhitespace: Apply same anti-null fix as 270499b.
- upload: Suppress warnings from iconv().
- Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
- SECURITY: Apply proper restrictions on file revert action.
- SECURITY: PermissionManager: Differentiate between cascading protection of file content and file pages.
- initEditCount: Join from user to actor to revision.
- ResourceLoader: update wikimedia/minify to 2.9.0.
- ResourceLoader: Set "math=always" before Less.php 5.0 upgrade.
- FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1 ($haystack).
- In .htaccess deny files, use "Satisfy All".
- block: Fix DBS::acquireTarget() race using GET_LOCK().
- RestrictionStore: Remove short-circuit mode when fetching cascading sources.
- SECURITY: LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions.
- SECURITY: Potential javascript injection attack enabled by Unicode normalization in Action API.
- SECURITY: i18n XSS vulnerability in HTMLMultiSelectField when sections are used.