Movatterモバイル変換

[0]ホーム
URL:

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview
List overview
Download

Wikitech-lOctober 2025

wikitech-l@lists.wikimedia.org
  • 27 participants
  • 33 discussions
Start a nNew thread
TLDR: Mobile devices will receive the mobile version directly on the standard domain, instead of via a redirect to the mobile subdomain. The change is live in the Beta Cluster and on test wikis, and expected to follow a train-like rollout over the next few weeks.Today, when you visit a link to a wiki (likeen.wikipedia.org), the server responds in one of two ways: a desktop page, or a redirect to the equivalent mobile URL (likeen.m.wikipedia.org). This mobile URL in turn serves the mobile version of the page from MediaWiki. Our CDN operates this way since 2011, when we enabled MobileFrontend by default. Diagram: Unified mobile routing - before and after <https://www.mediawiki.org/wiki/Requests_for_comment/Mobile_domain_sunsettin…>This redirect causes a number of problems, [2] such as: • User experience: Links shared by mobile users always display in mobile mode instead of the mode for your device, even after opt-out. • Site performance: Every Google Search result click is delayed by the redirect before displaying the article. • SEO: There is a conflict in our link graph because standard URLs redirect to mobile, and mobile sets a canonical pointer back to the standard URL. This de-indexes or mis-indexes pages in Google. T400022 <https://phabricator.wikimedia.org/T400022> • Infrastructure cost: MediaWiki sends twice as many purges to our CDN infrastructure. • Technical debt and known issues (e.g. incompatibility with OAuth). [3]Over the next few weeks, the CDN will serve the mobile version directly, without first redirecting the browser to the mobile subdomain. What is not changing • Backend code may detect mobile mode via `MobileContext->shouldDisplayMobile()`. • Frontend code may detect mobile mode via `mw.config.get('wgMFMode')`. [4] • Third-party MediaWiki sites. This is a WMF configuration change only. • Mobile requests to MediaWiki (identical HTTP host and headers). • Existing mobile URLs continue to work. • The "Desktop" opt-out footer link. • The speed of light.Backend requests unchangedThe mobile subdomain on WMF wikis is only recognised by Varnish (Wikimedia CDN). Varnish strips this "m" from the domain, activates MobileFrontend, and forwards the request to MediaWiki with the standard domain. [1]This means MediaWiki core and extensions know how to handle mobile requests on the standard domain, because that's how it already works. It also means that the change is not observable (through supported means) by backend feature code in MediaWiki, because the mobile subdomains don't exist there.What should I test?If your gadget or MediaWiki extension does not vary its behavior for mobile, or detects mobile mode using the supported mechanism listed above, then you're all set.Note that Minerva-specific or mobile-specific code in a MediaWiki extension is naturally compatible with unified mobile routing, if it was tested locally or in CI. When you install Minerva (and optionally MobileFrontend) in your dev environment, they operate without a mobile subdomain by default. • There is (probably) no mobile domain in your local dev environment. • There is no mobile domain in Patch demo. • There is no mobile domain in CI.This infrastructure change aligns WMF production with how MediaWiki and MobileFrontend work by default. This decreases the potential for bugs we have today that can be exclusively found in production (via the mobile subdomain), and resolves a backlog of existing known issues. [3]Unsupported checks in frontend codeIf a JavaScript-based feature contains a hardcoded `m.` hostname check, then this will no longer match in the future. The most likely place to find hardcoded `m.` checks is in a gadget or user script that changes its appearance or logic for mobile pages.Detecting the mobile mode in this way is unsupported and should be replaced with a supported mechanism <https://phabricator.wikimedia.org/T390923> instead. [4] An audit in April 2025 found there were 2 WMF-deployed extensions using this, which were confirmed to fallback gracefully or have since been adjusted. [5]Where can I test?The new unified mobile routing is live on these wikis: • Beta Cluster athttps://beta.wmcloud.org • test wikis athttps://test.wikipedia.org andhttps://test.wikidata.orghttps://wikitech.wikimedia.orghttps://office.wikimedia.orghttps://www.mediawiki.orgFor other production wikis, such asen.wikipedia.org, you can preview the change today by adding `?useformat=mobile` to a URL. This activates MobileFrontend on the standard domain, like it would in the future. For example:https://en.wikipedia.org/wiki/Banana?useformat=mobile.The timeline <https://www.mediawiki.org/wiki/Requests_for_comment/Mobile_domain_sunsettin…> spans several weeks and should not require dedicated testing. If you're unsure, you can test on the pilot wikis above, or in production via the `useformat=mobile` parameter. f you find a bug with mobile toggling or another regression, please report a bug to Phabricator. If you have questions or need help with a gadget or user script, please reach out on the talk page <https://www.mediawiki.org/wiki/Talk:Requests_for_comment/Mobile_domain_suns…>. -- Timo Tijhof🔗 Read or share this post on the web via:https://www.mediawiki.org/wiki/Requests_for_comment/Mobile_domain_sunsettin…[1]: Diagram of mobile routing before and after <https://www.mediawiki.org/wiki/Requests_for_comment/Mobile_domain_sunsettin…> [2]: Problem statement and analysis onmediawiki.org <https://www.mediawiki.org/wiki/Requests_for_comment/Mobile_domain_sunsettin…>[3]: Known issues listed in the Phabricator task <https://phabricator.wikimedia.org/T214998>[4]: Remember that mobile detection should be rare in frontend code, because most differences are between skins (Minerva vs another skin) and not MobileFrontend.[5]: Audit of unsupported m-dot checks in JavaScript <https://phabricator.wikimedia.org/T390923>
2 2
1 0
Phabricator improvements
by Andre Klapper 19 Nov '25

19 Nov '25
I am excited to announce that this is an exciting announcement.Today the Wikimedia Release Engineering Team deployed a larger softwareupgrade ofhttps://phabricator.wikimedia.orgYou now better enjoy * Performance improvements: - Global fulltext Search ignores data of uninstalled Phab apps - Embedded full size image files are lazy loaded - Using DNS preconnect for our separate file domain - Faster rendering of Project Burndown tabular reports * Search user interface: - "Advanced Search" renamed to Global Search and application search - Global Search Scope dropdown: "Current Application" replaced by the actual app name; no more such option when the app does not support global fulltext search - Maniphest Task Search does not anymore show unused "Packages" and "Owners" when using typeahead in the "Subscribers" search field - Ctrl+Return in text boxes opens search results in a new tab * User Profile pages: - New "Authored Tasks" one-click menu item in sidebar - Less ambiguous menu item names in sidebar - Support for images in WebP format as avatars - (admins only): One-click menu item to view Activity Log of user - (admins only): User's Two-Factor Auth status shown on profile page * Project Workboards: - Those numbers in workboard column headers have now tooltips - Archived projects are now strike-through in navigation breadcrumbs - Automated Column Triggers: Allow setting the user who performs the move as task assignee - Thinner scrollbars in Firefox on Windows - Importing columns: No more crash when typeahead querying projects and search string is not a project name prefix - The "Move Tasks" action now requires "Can Bulk Edit Tasks" rights * Herald automated actions: - New condition "Acting user's projects" available - No more "Unknown Object (????)" for custom field values in editor * General text input: - No more text suddenly disappearing when writing {{#something:}} - Stripped surrounding whitespace when entering project or task titles - Support for "size=thumb" parameter when embedding video files * Conduit API: - Support search select fields as constraints, e.g. "Group By" in maniphest.search, project status in project.search, status and hosted in diffusion.repository.search - Improved documentation of types in transaction.search * User Preferences: - Email: No more useless "Audits" section (we uninstalled that app) - External Accounts: Shows tooltips for buttons - Multi-Factor Auth: Explains consequences of adding a second factor * Projects: - Profile images: Show maximum picture dimensions at uploading - No more "set this color to Red" message editing archived projects - No more 404 error on URLs with an alternative hashtag of a milestone * Project Report Charts: - Rotated x-axis labels for better readability - Improved line colors * Files: - Support rendering images in WebP format - List of uploads includes the timestamp, not only the date * Mobile: Support zooming on pages (e.g. when looking at image files) * Mobile: Detection of Firefox on Android (to adjust content width) * Tokens: Allow filtering given tokens by token types * Wikibugs IRC bot: Report the color of milestones correctly * (admins only) Allow changing email of bot and mailing list accounts * Numerous crasher fixes * Some accessibility improvements (ARIA labels, titles, etc) * Cleaner CSS (less noise in your browser's Developer Tools' console)Our Downstream dependency trees of tasks are athttps://phabricator.wikimedia.org/T386558 andhttps://phabricator.wikimedia.org/T393840I'd like to thank the Wikimedians BlankEclair, mainframe98, MatmaRex,pppery, taavi, valerio.bozzolan, xtex, who contributed patches to theupstream project athttps://we.phorge.it. (Hope I forgot nobody?)As usual, if you have comments or questions about Phab, please bringthem up onhttps://www.mediawiki.org/wiki/Talk:Phabricator/Help !Cheers,andre (on behalf of the Wikimedia Release Engineering Team)-- Andre Klapper (he/him) | Bugwranglerhttps://blogs.gnome.org/aklapper/
3 3
0 0
Hey everyone,I’ve noticed a lot of students (including myself) struggling with the pressure of online classes, deadlines, and quizzes — especially with platforms like Capella FlexPath, WGU, and others.If you're overwhelmed, there’s a service I recently came across called Online Classes Help. They assist with everything from discussion posts and assignments to full course completion. Super helpful for those juggling jobs or other responsibilities!Whether you need one-time help or ongoing support, this could really reduce your stress and help you maintain a good GPA. Just make sure to use it ethically — as a support tool, not a shortcut!Has anyone else tried such services? Would love to hear your experiences.Cheers! fpr more info :https://coursefpx.com/online-class-help/
2 2
0 0
Action API Rerouting
by Halley Coplin 30 Oct '25

30 Oct '25
Howdy API artists, bot builders, and tool tinkerers!We are continuing to reroute all web API traffic through a common APIGateway. This week, Action API traffic began flowing through the commongateway. Requests from Group 0 wikis are now being routed throughthe common gateway, and we expect to follow the following deploymentschedule for the remaining Wikimedia projects: - 100% Group 0 today (Oct 30) - 50% Group 1 on Monday, Nov 3 - 100% Group 1 on Wednesday, Nov 5 - All remaining wikis ramp up week of Nov 10This is purely introducing another layer of infrastructure, and we expectthe change to be non-breaking and non-disruptive. We are also keeping aclose eye out for any anomalies as we dial up proportional traffic. If anyissues are observed in your own bots, features, or tools, please file aphabricator ticket to the Service Ops team board<https://phabricator.wikimedia.org/tag/serviceops/>.Why is this change happening?As mentioned in the API as a Product Tech Blog<https://techblog.wikimedia.org/2025/06/12/apis-as-a-product-investing-in-th…>publishedearlier this year and as part of the WE5 objective<https://meta.wikimedia.org/wiki/Talk:Wikimedia_Foundation_Annual_Plan/2025-…>(KR5.2),we are working to consolidate and centralize our API infrastructure.Centralizing API routing will make observability across APIs easier,allowing us to make better data-driven decisions. Having a single,centralized API gateway also simplifies API management, enabling us tocontinue streamlining and standardizing our API offerings.What’s next?We will continue rerouting non-MediaWiki endpoints through the commongateway in the coming months. Keep an eye out for more announcements hereand on Tech News <https://meta.wikimedia.org/wiki/Tech/News>!Feel free to respond here, find us on phabricator, or add to a on-wikidiscussion thread if you have any questions, comments, or concerns!Thanks,Halley*Halley Coplin* (she/her)Sr. Product Manager, MediaWiki InterfacesWikimedia Foundation <https://wikimediafoundation.org/>
1 0
0 0
Hello all,If you use the mwscript-k8s tool to launch MediaWiki maintenance scripts onKubernetes at WMF [0], this message is relevant to you.*What is changing?*On Monday, 3rd of November, the mwscript-k8s tool will default to launchingscripts on PHP 8.3 instead of 8.1.This is part of the ongoing migration of production MediaWiki workloads atWMF to PHP 8.3 [1] and follows the earlier introduction of 8.3 on an opt-inbasis [2].*If I encounter issues, is it possible to temporarily use PHP 8.1?*Yes, if you encounter compatibility issues on 8.3, you can provide the--php_version=8.1flag to the mwscript-k8s tool to select 8.1 instead.Since this fallback will be removed at a later date, please open a sub-taskof [3] to report the issue, so that it can be fixed.*What about periodic maintenance jobs?*Production periodic maintenance jobs [4] will migrate later on, trailingthe mwscript-k8s migration by at least 1 week.Feel free to reach out if you have any questions or concerns, either to medirectly, on this thread, or via a task on Phabricator.Many thanks,Scott FrenchService Ops SRE[0]https://wikitech.wikimedia.org/wiki/Maintenance_scripts[1]https://phabricator.wikimedia.org/T360995[2]https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/…[3]https://phabricator.wikimedia.org/T401855[4]https://wikitech.wikimedia.org/wiki/Mw-cron_jobs
1 0
0 0
Hello all,The SRE and MediaWiki Engineering teams have started the process ofmigrating production MediaWiki workloads at WMF from PHP 8.1 to 8.3 [0],with a small-but-growing fraction of traffic serving on 8.3 since late lastweek.This follows a long-running effort to prepare MediaWiki and our productionenvironment for 8.3, and builds on what we learned while migrating from 7.4to 8.1 earlier this year.*What is the expected timeline?*With the migration in its early stages, we anticipate completion within thenext 2 - 3 weeks. More details on the migration process and timeline can befound in [1].The timeline is subject to change if issues related to PHP 8.3compatibility arise (i.e., requiring a pause or revert to 8.1).*What if I discover a production issue related to PHP 8.3 compatibility?*If you discover an issue related to the 8.3 migration, please open asubtask of [2] to report it.In the event of an urgent or widespread issue that warrants revertingtraffic to PHP 8.1 as soon as possible, please escalate to SRE in#wikimedia-sre on IRC.Feel free to reach out if you have any questions or concerns, either to medirectly, on this thread, or via a task on Phabricator.Many thanks to all who have been involved in moving MediaWiki at WMFforward to PHP 8.3!Scott FrenchService Ops SRE[0]https://phabricator.wikimedia.org/T360995[1]https://phabricator.wikimedia.org/T405955[2]https://phabricator.wikimedia.org/T401855
1 0
0 0
End of year deployment freeze 2025
by Tyler Cipriani 30 Oct '25

30 Oct '25
Hi all!MediaWiki Train deployment will pause for the final two weeks of 2025: 22December and 29 December.Backport windows will pause between Mon, 22nd of December 2025 andThursday, 02 January 2026.End-of-year holidays and a team offsite mean there are seven deploymenttrains left in 2025 for MediaWiki:- 25 Oct – 1.45.0-wmf.25 (This week)- 03 Nov – 1.46.0-wmf.1- 10 Nov – 1.46.0-wmf.2- 17 Nov – 1.46.0-wmf.3- 24 Nov – 1.46.0-wmf.4- 01 Dec – 1.46.0-wmf.5- 08 Dec – 1.46.0-wmf.6 No Train, backports normal (Release Engineering atOffsite)- 15 Dec – 1.46.0-wmf.7- 22 Dec – 1.46.0-wmf.8 No Deploys (Holiday: Tue–Fri)- 29 Dec – 1.46.0-wmf.9 No Deploys (Holiday: Mon–Wed)All this information is on the yearly deployment calendar[0].We freeze deployments every year for the end-of-December holidays andthe busy fundraising season[1][2][3][4][5][6][7].Thanks!Tyler Cipriani (he/him)Engineering Manager, Release EngineeringWikimedia Foundation[0]: <https://wikitech.wikimedia.org/wiki/Deployments/Yearly_calendar>[1]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2018/12>[2]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2019/12>[3]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2020/12>[4]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2021/12>[5]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2022/12>[6]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2023/12>[7]: <https://wikitech.wikimedia.org/wiki/Deployments/Archive/2024/12>
1 0
0 0
Hello Wikimedia REST API users!As part of the RESTBase Sunsetting project<https://phabricator.wikimedia.org/T262315>, we are rerouting the lintendpoints in the Wikimedia REST API<https://www.mediawiki.org/wiki/Wikimedia_REST_API> through MediaWiki. Bothpage and transform lint endpoints are affected. This change is expected tobe seamless and non-breaking. However, because this work involves a servicechange, we would like your help to ensure that no tools, bots, or otherintegrations relying on these endpoints are negatively impacted.*==== Impacted endpoints ====*Lint endpoints offered by the Wikimedia REST API<https://en.wikipedia.org/api/rest_v1/> (under the /api/rest_v1/ path) arebeing rerouted. No other endpoints are affected. The specific endpoints arelimited to:GET /page/lint/{title}/GET /page/lint/{title}/{revision}POST /transform/wikitext/to/lintPOST /transform/wikitext/to/lint/{title}POST /transform/wikitext/to/lint/{title}/{revision}*==== Timeline & next steps ==== *The rerouted endpoints are currently live ontest.wikipedia.org -- pleasefeel free to test and verify functionality there at your earliestconvenience.Assuming no issues are observed or reported, we plan to utilize thefollowing deployment schedule: - *Tuesday, Oct 28*: Rerouting is live on test and test2 wikis. - *Monday, Nov 3*: Enable rerouting on Group 0 wikis. - *Tuesday, Nov 4*: Enable rerouting on Group 1 wikis. - *Thursday, Nov 6*: Enable rerouting on all remaining wikis.*==== How to report issues ====*Please see T384216 <https://phabricator.wikimedia.org/T384216> for moreinformation, or to report any observed issues or changes in behaviorrelated to this rerouting. You may also reply directly to this email, orfile a new ticket to the MediaWiki Interfaces team board<https://phabricator.wikimedia.org/project/view/6931/>.Thanks,Halley*Halley Coplin* (she/her)Sr. Product Manager, MediaWiki InterfacesWikimedia Foundation <https://wikimediafoundation.org/>
1 0
0 0
Tech News 2025, week 44
by Sandister Tei 27 Oct '25

27 Oct '25
Latest *tech news<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News>* from theWikimedia technical community. Please tell other users about these changes.Not all changes will affect you. Translations<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News/2025/44> areavailable.*Updates for editors* - The Wikipedia iOS app has launched an A/B/C test of improvements made to the tabbed browsing feature for select regions and languages. The test, named “More dynamic tabs”, explores new tab experiences and includes “Did you know” and “Because you read” article recommendations. You can read more on the project page <https://www.mediawiki.org/wiki/Special:MyLanguage/Wikimedia_Apps/Team/iOS/T…> . - Autoconfirmed users on small <https://gerrit.wikimedia.org/g/operations/mediawiki-config/%2B/a2d2aaab9ace…> and medium wikis <https://gerrit.wikimedia.org/g/operations/mediawiki-config/%2B/a2d2aaab9ace…>with the CampaignEvents extension can now use Event Registration <https://meta.wikimedia.org/wiki/Special:MyLanguage/Event_Center/Registration>without the Event Organizer right. This feature lets organizers enable registration, manage participants, and lets users register with one click instead of signing event pages. - View all 31 community-submitted tasks that were resolved last week <https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News/Recently_resol…>. For example, the issue of flashing colors when holding or pressing the arrow keys under the dark mode settings in Vector 2022 has been fixed. [1] <https://phabricator.wikimedia.org/T402285>*Updates for technical contributors* - The CampaignEvents extension will be deployed to all remaining wikis during the week of 17 November 2025. The extension currently includes three features: Event Registration, Collaboration List, and Invitation List. For this rollout, Invitation List will not be enabled on Wikifunctions and MediaWiki unless requested by those communities. Visit the deployment page to learn more <https://meta.wikimedia.org/wiki/Special:MyLanguage/CampaignEvents/Deploymen…> . - The SwaggerUI-based REST sandbox experience is now live on all wiki projects. The sandbox can be accessed through the Special:RestSandbox <https://meta.wikimedia.org/wiki/Special:RestSandbox> page. Please report any issues to the MediaWiki Interfaces team board, or join the discussion on the project launch <https://www.mediawiki.org/wiki/Special:MyLanguage/MediaWiki_Interfaces_Team…> page. [2] <https://phabricator.wikimedia.org/project/board/6931/> - Transform endpoints with a trailing slash path in the MediaWiki REST API are now marked as deprecated. They will remain functional during this time, but removal is expected by the end of January 2026. All API users currently calling them are encouraged to transition to the non-trailing slash versions. Both endpoint variations can be found and testedusing the REST Sandbox <https://test.wikipedia.org/w/index.php?api=mw-extra&title=Special%3ARestSan…>. See the MediaWiki REST API Deprecation <https://www.mediawiki.org/wiki/API/Deprecation> page for more detailed information about the API deprecation policies and procedures. - A dedicated changelog now exists for the MediaWiki REST API <https://www.mediawiki.org/wiki/API:REST_API/Changelog>. The changelog provides an overview of these changes, making it easier for developers to keep track of improvements and iterations. Announcements will also continue to flow through the standard communication channels, including Tech News and email distribution lists, but can now be more easily referenced from a central location. If you have feedback about the style, structure, or content of this changelog, please join the discussion <https://www.mediawiki.org/wiki/API_talk:REST_API/Changelog>. - Administrators can delete the tracking category which was previously added by the JsonConfig extension, as it is no longer used. See the categories linked from Q130635582 <https://www.wikidata.org/wiki/Q130635582#sitelinks-wikipedia>. It is OK if there are still pages listed in the category as that is just a caching issue, and they will be automatically cleared out the next time each page is edited. [3] <https://phabricator.wikimedia.org/T378352> - Detailed code updates later this week: MediaWiki <https://www.mediawiki.org/wiki/MediaWiki_1.45/wmf.25>*Tech news<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News> preparedby Tech News writers<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News/Writers> andposted by bot<https://meta.wikimedia.org/wiki/Special:MyLanguage/User:MediaWiki_message_d…>• Contribute<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News#contribute>• Translate<https://meta.wikimedia.org/wiki/Special:MyLanguage/Tech/News/2025/44> • Gethelp <https://meta.wikimedia.org/wiki/Tech> • Give feedback<https://meta.wikimedia.org/wiki/Talk:Tech/News> • Subscribe or unsubscribe<https://meta.wikimedia.org/wiki/Global_message_delivery/Targets/Tech_ambass…>.*
1 0
0 0
Greetings-With the security/maintenance release of MediaWiki 1.39.14/1.43.4/1.44.1,we would also like to provide this supplementary announcement of MediaWikiextensions and skins with now-public Phabricator tasks, security patchesand backports [1]:Lockdown+ (T397521, CVE-2025-12004) - Compare API module breaks Lockdown Extension(Note: this issue was resolved by a MediaWiki core patch)https://gerrit.wikimedia.org/r/q/Id275382743957004fa7fc56318fc104d8e2d267bDiscordNotifications+ (GHSA-gvfx-p3h5-qf65, CVE-2025-53371) - DOS, SSRF and possible RCEthrough requests to user-controlled URLshttps://github.com/miraheze/DiscordNotifications/security/advisories/GHSA-g…https://github.com/miraheze/DiscordNotifications/commit/1f20d850cbcce5b1595…DynamicPageList3+ (GHSA-7pgw-q3qp-6pgq, CVE-2025-53625) - Exposure of hidden/suppressedusernameshttps://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHS…LastModified+ (T399583, CVE-2025-62693) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/Ia406630dbac5ef9a9aed3f402f0ba6e434a6bcf2MultiBoilerplate+ (T399658, CVE-2025-62700) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I10e205e3027d4772b2cd9801647fc6c171e4b35bExternalGuidance+ (T399662, CVE-2025-62698)- Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I8bfb3c2766982f6633f47ed35720d4d9f51da71dLanguageSelector+(T399724, CVE-2025-62697) - Improperly sanitized style parameter inLanguageSelectorhttps://gerrit.wikimedia.org/r/q/I338288e756de4e58a3f1f02a9c205b37f4927935Translate+ (T399627, CVE-2025-62699) - Edits performed using the Special:Translatetool do not use the correct IP and User-Agent in the CheckUser toolhttps://gerrit.wikimedia.org/r/q/Idac164418362c65d0ad37055fe9e0ad134197da3https://gerrit.wikimedia.org/r/q/I65c740c8ca5130b40463d687e2f0775951abbf22Springboard+ (T400422, CVE-2025-62696) - Multiple critical security issues includingunauthenticated RCEhttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/Springboard/+/1174003WikiLambda+ (T400500, CVE-2025-62695) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/Id6e96d54b4dd73af205c69ba8774c0fd51632c87WikiLove+ (T400525, CVE-2025-62694) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I17fc061112f61b4c37b772410b265df060819416PageTriage+ (CVE-2025-62704, T400526) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I86c5f17364c7351e7c06ce4cc6e5592467bc8dc3Wikistories+ (CVE-2025-62701, T400545) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I86c3bb7b7ce2d856cd2a5be787b703c85d7c41faSkin:BlueSky+ (T401046, CVE-2025-62665) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I64c9e2983ed6629505f72ef9449c09137b3c69aeTilesheets+ (GHSA-hqfr-7cm9-4h87, CVE-2025-54865) - Potential SQL injectionhttps://github.com/FTB-Gamepedia/Tilesheets/security/advisories/GHSA-hqfr-7…ImageRating+ (T402002, CVE-2025-62664) - Stored XSS through a system messagehttps://gerrit.wikimedia.org/r/q/Ie42bba0d80bace319cf88d71233db1f598ac613bSecurePoll+ (T402076, CVE-2025-11937) - Stored XSS through a system messagehttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1189186UploadWizard+ (T402095, CVE-2025-62663) - Stored XSS through a system messagehttps://gerrit.wikimedia.org/r/q/I37ea7c8825e9de776e207b3919b451ba2b905369AdvancedSearch+ (T402146, CVE-2025-62662) - Stored XSS through system messageshttps://gerrit.wikimedia.org/r/q/I91bba2b570643ef74e6c210e7250e05cd2aa388eCargo+ (T402147, CVE-2025-62671) - Stored XSS through wikitexthttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1179707FlexDiagrams+ (T402149, CVE-2025-62670) - Stored XSS through a system messagehttps://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlexDiagrams/+/1179692Thanks+ (T397497, CVE-2025-61654) - Incorrect permission checkinghttps://gerrit.wikimedia.org/r/q/Idbc1b5a288ffaa7074eedcbac066358a8ec649dcGrowthExperiments+ (T397497, CVE-2025-61654) - Incorrect permission checkinghttps://gerrit.wikimedia.org/r/q/Ia584966bb7d4d707eef50529293aa3d468470f18GrowthExperiments+ (T402698, CVE-2025-62667) - Stored XSS through article extractshttps://gerrit.wikimedia.org/r/q/Iafd0acccf9a5c20d9e955d7bc3de1304968401ecCirrusSearch+ (T401220, CVE-2025-62666) - DoS vector through the cirrusbuilddoc queryAPIhttps://gerrit.wikimedia.org/r/q/I3e8d819868c0491b18368af8e543180e747023c2WebAuthn+ (T403093, CVE-2025-62652) - Stored XSS in WebAuthn key namehttps://gerrit.wikimedia.org/r/q/I871ad11a68aad2a6389fdd918de5fcf0921f5a7cPollNY+ (T403923, CVE-2025-62653) - Stored XSS through system messages in PollNYhttps://gerrit.wikimedia.org/r/q/If235d6e6c1d37de6748ef4774cdb3438f52ac532QuizGame+ (T403924, CVE-2025-62654) - Stored XSS through system messages in QuizGamehttps://gerrit.wikimedia.org/r/q/Iafb81db227107cd8be204f1b6f4eccd06fbec8ce3DAlloy+ (GHSA-f2rp-232x-mqrh, CVE-2025-59332) - Stored XSS through attributesprovided to the 3d parser tag/functionhttps://github.com/dolfinus/3DAlloy/security/advisories/GHSA-f2rp-232x-mqrhCargo+ (T404016, CVE-2025-62655) - SQL injection in Cargo via Special:CargoExporthttps://gerrit.wikimedia.org/r/q/I649ec974c33ad7c4e2338e2f5d8c497153dd6d25https://gerrit.wikimedia.org/r/q/I9039a39aa92de193a2f2e9816856adc8c757cf85WikiLambda+ (T404392) - Arbitrary HTML injection through error display onWikifunctionshttps://gerrit.wikimedia.org/r/q/T404392CookieConsent+ (T404475, CVE-2025-62659) - CookieConsent should use reserved dataattributes to avoid potential XSS vectorshttps://gerrit.wikimedia.org/r/q/Ib6a53470f9f00fc180cac9fceddd0a3c43887825GlobalBlocking+ (T403291, CVE-2025-62656) - GlobalBlocking Special:GlobalBlockListvulnerable to message key stored XSShttps://gerrit.wikimedia.org/r/q/I684c8ec425c7baa722a694ef23d5b6e2a4c3d57bPageForms+ (T405357, CVE-2025-62657) - Stored XSS through system messages inPageFormshttps://gerrit.wikimedia.org/r/q/Ic88edd43f356935767730a97ccaf841758c854f1EmbedVideo (fork)+ (GHSA-4j5h-mvj3-m48v, CVE-2025-59839) - Stored XSS through wikitextcaused by usage of non-reserved data attributeshttps://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security…WatchAnalytics+ (T406380, CVE-2025-62658) - SQL injection in WatchAnalytics throughSpecial:ClearPendingReviewshttps://gerrit.wikimedia.org/r/q/I6c0018713e0fe0a2ec3610508ea3581e2c8035e4The Wikimedia Security Team recommends updating these extensions and/orskins to the current master branch or relevant, supported release branch[2] as soon as possible. Some of the referenced Phabricator tasks above_may_ still be private. Unfortunately, when security issues are reported,sometimes sensitive information is exposed and since Phabricator ishistorical, we cannot make these tasks public without exposing thissensitive information. If you have any additional questions or concernsregarding this update, please feel free to contact security(a)wikimedia.orgor file a security task within Phabricator [3].[1]https://phabricator.wikimedia.org/T397776[2]https://www.mediawiki.org/wiki/Version_lifecycle[3]https://www.mediawiki.org/wiki/Reporting_security_bugs-- Scott Bassettsbassett(a)wikimedia.org
1 0
0 0
Results per page:
[8]ページ先頭
©2009-2025 Movatter.jp