[01:54:16] <MirahezeRelay>	 <rodejong> [1/23] Security and maintenance release: 1.39.16 / 1.43.6 / 1.44.3 / 1.45.1
[01:54:16] <MirahezeRelay>	 <rodejong> [2/23] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
[01:54:17] <MirahezeRelay>	 <rodejong> [3/23] Sam Reed @ 10 Dec 2025 10:22 p.m.
[01:54:17] <MirahezeRelay>	 <rodejong> [4/23] I would like to announce the release of MediaWiki 1.39.16, 1.43.6, 1.44.3 and 1.45.1!
[01:54:17] <MirahezeRelay>	 <rodejong> [5/23] These releases serve as security and maintenance releases for these branches.
[01:54:18] <MirahezeRelay>	 <rodejong> [6/23] The tarballs have already been uploaded as of this email, and the git tags will be pushed shortly.
[01:54:18] <MirahezeRelay>	 <rodejong> [7/23] A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions.
[01:54:18] <MirahezeRelay>	 <rodejong> [8/23] [...]
[01:54:18] <MirahezeRelay>	 <rodejong> [9/23] As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, MediaWiki 1.40 became EOL in June 2024, MediaWiki 1.41 became EOL in December 2024 and MediaWiki 1.42 became EOL at the end of June 2025.
[01:54:19] <MirahezeRelay>	 <rodejong> [10/23] MediaWiki 1.39 (the old LTS before 1.43) becomes EOL in December 2025, later this month. It is strongly recommended to upgrade to 1.43 (the next LTS after 1.39), which will be supported until December 2027.
[01:54:19] <MirahezeRelay>	 <rodejong> [11/23] [...]
[01:54:19] <MirahezeRelay>	 <rodejong> [12/23] == Security fixes ==
[01:54:20] <MirahezeRelay>	 <rodejong> [13/23] T401987, T401995 - Disable xslt option by default.
[01:54:20] <MirahezeRelay>	 <rodejong> [14/23] T406639 - Escape word-separator message in Special:ApiSandbox.
[01:54:21] <MirahezeRelay>	 <rodejong> [15/23] T406664 - Escape square brackets in autocomment links.
[01:54:21] <MirahezeRelay>	 <rodejong> [16/23] T405859 - Do not use importers IP in case of external rev author.
[01:54:22] <MirahezeRelay>	 <rodejong> [17/23] T385403 - Always escape commas in mail encoded-words.
[01:54:22] <MirahezeRelay>	 <rodejong> [18/23] T407131 - Sanitizer: disallow underscore and wide underscore in data-* attribute names.
[01:54:23] <MirahezeRelay>	 <rodejong> [19/23] T401053 - Check read permissions in ApiQueryRevisionsBase.
[01:54:23] <MirahezeRelay>	 <rodejong> [20/23] T409226 - mediawiki.page.preview: Escape 'comma-separator' between multiple protection levels.
[01:54:24] <MirahezeRelay>	 <rodejong> [21/23] T251032 - Disallow 'style' attribute in client-side messages (jqueryMsg).
[01:54:24] <MirahezeRelay>	 <rodejong> [22/23] T408135 - Lua segfault in unpack().
[01:54:25] <MirahezeRelay>	 <rodejong> [23/23] [Truncated due to discord limits. hyperkitty link has full details]
[10:09:54] <MirahezeRelay>	 <toosplatched> why not use discord's announcement feature instead of a manual copy and paste?
[10:26:01] <MirahezeRelay>	 <rodejong, replying to toosplatched> Because I copied it, to also paste it in my userpages, and didn't want to do it double. 🤷🏻‍♂️
[11:55:53] <MirahezeRelay>	 <awing_ding> I think the point is to make a channel following MediaWiki announcement via the discord feature instead of copying manually
[12:01:06] <MirahezeRelay>	 <rhinosf1, replying to toosplatched> Because tech have no interest cause we have our own ways of being told
[12:01:48] <MirahezeRelay>	 <rhinosf1> Tech has a decent idea of what's coming so we are often prepared
[12:11:01] <MirahezeRelay>	 <originalauthority> Yeah the copy and paste everytime pretty annoying and unnecessary