CVE-2022-47927: Security and maintenance release: 1.35.9 / 1.38.5 / 1.39.1 - MediaWiki-announce

I would like to announce the release of MediaWiki 1.35.9, 1.38.5 and 1.39.1! The security fix included in this release was considered low risk, hence the lack of a pre-release announcement. It only takes effect on new installs using SQLite. If you’re using SQLite already on a shared host, you may want to check the file permissions of the database file, and stop them being readable by "everyone". More information can be found on the linked task, T322637. These releases also serve as a maintenance release for these branches. The tarballs have already been uploaded as of this e-mail, and the git tags have been pushed. A “MediaWiki Extensions Security Release Supplement” e-mail will follow this one, covering security updates for non-bundled extensions. Various patches aimed at PHP 8.0, 8.1, and 8.2 support have been back-ported. This should fix a lot of log spam, and MediaWiki should work on both released versions (PHP 8.0 and 8.1). Reports of bugs with PHP 8.0, 8.1, or 8.2 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/ and https://phabricator.wikimedia.org/tag/php_8.2_support/ for the relevant work boards. As a reminder, 1.37 became end of life (EOL) in November 2022. It is recommended to upgrade to 1.38, or to 1.39 (the next LTS after 1.35) which was released in November 2022. == Security fixes == * (T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable. == Links to all mentioned tasks == * https://phabricator.wikimedia.org/T322637 == Release notes == Full release notes for 1.35.9: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.35 Full release notes for 1.38.5: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_38/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.38 Full release notes for 1.39.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_39/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release_notes/1.39 For information about how to upgrade, see https://www.mediawiki.org/wiki/Manual:Upgrading ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.tar.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.zip Patch to previous version (1.35.8): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.gz https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.tar.gz.… https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.9.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.zip.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.9.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.tar.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.zip Patch to previous version (1.38.4): https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.gz https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.tar.gz.… https://releases.wikimedia.org/mediawiki/1.38/mediawiki-core-1.38.5.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.zip.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.5.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.zip Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.tar.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.zip Patch to previous version (1.39.0): https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.gz https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.zip GPG signatures: https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.39/mediawiki-core-1.39.1.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.zip.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.1.patch.zip.sig Public keys: https://www.mediawiki.org/keys/keys.html