-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.4rc1 is a security and bug fix release for the 1.4 beta
series.
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
~ abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~ Safari MIME-type autodetection bugs.
As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
additional fields.
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.
== Changes since 1.4beta6 ==
* Fix notice error on nonexistent template in wikitext system message
* (bug 1469) add missing <ul> tags on Special:Log
* (bug 1470) remove extra <ul> tags from Danish log messages
* Fix notice on purge w/ squid mode off
* (bug 1477) hide details of SQL error messages by default
~ Set $wgShowSQLErrors = true for debugging.
* (bug 1430) Don't check for template data when editing page that
doesn't exist
* Recentchanges table purging fixed when using table prefix
* (bug 1431) Avoid redundant objectcache garbage collection
* (bug 1474) Switch to better-cached index for statistics page count
* Run Unicode normalization on all input fields
* Fix translation for allpagesformtext2 in LanguageZh_cn and LanguageZh_tw
* Block image revert without valid login
* (bug 1446) stub Bambara (bm) language file using French messages
* (bug 1432) Update Estonian localization
* (bug 1471) unclosed <p> tag in Danish messages
* convertLinks script fixes
* Corrections to template loop detection
* XHTML encoding fix for usernames containing & in Special:Emailuser
* (for zh) Search for variant links even when conversion is turned off,
~ to help prevent duplicate articles.
* Disallow ISO 8859-1 C1 characters and "no-break space" in user names
~ on Latin-1 wikis.
* Correct the name of the main page it LanguageIt
* Allow Special:Makesysop to work for usernames containing SQL special
~ characters.
* Fix annoying blue line in Safari on scaled-down images on description page
* Increase upload sanity checks
* Fix XSS bug in Media: links
* Add cross-site form submission protection to various actions
* Fix fatal error on some dubious page titles
* Stub threshold displays correctly again
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=307068
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.4rc1.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCGYICwRnhpk1wk44RAp4SAJ9tUo4wzkeAwe7uJ3tQbKI2ZBYNXwCgyK1a
T6y4UfuG7ejvIOzyiOGq85Q=
=idOV
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.3.11 is a security release.
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
~ abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~ Safari MIME-type autodetection bugs.
As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
additional fields.
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=307067
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.11.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCGYHOwRnhpk1wk44RAhlzAKDSk3J8cRhBxD/arNc84uaLqeKAtgCfcJ2m
VRX58OZ0qf0b1dqhmfMFFe4=
=oYqv
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.4beta6 is a security and bug fix release for the 1.4 beta
series.
In previous 1.4beta and 1.3.x releases an attacker could craft a URL
which, when visited by a particular logged-in user, would execute
arbitrary JavaScript code on the user's browser in the wiki's site
context. This attack has been blocked, and as an extra precaution the
user CSS and JavaScript subpage support is now disabled by default.
Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs
in LocalSettings.php.
Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.
1.3.x users not using the 1.4 beta should upgrade to 1.3.10.
Note that 1.4 beta releases prior to beta 5 include an input validation
error which could lead to execution of arbitrary PHP code on the server.
Users of older betas should upgrade immediately to the current version.
Beta 6 also introduces the use of rel="nofollow" attributes on external
links in wiki pages to reduce the effectiveness of wiki spam. This will
cause participating search engines to ignore external URL links from
wiki pages for purposes of page relevancy ranking.
The current implementation adds this attribute to _all_ external URL
links in wiki text (but not internal [[wiki links]] or interwiki links).
To disable the attribute for _all_ external links, add this line to your
LocalSettings.php:
~ $wgNoFollowLinks = false
For background information on nofollow see:
~ http://www.google.com/googleblog/2005/01/preventing-comment-spam.html
=== Changes since beta 5 ===
* (bug 1335) implement 'tooltip-watch' in Language.php
* Fix linktrail for nn: language
* (bug 1214) Fix prev/next links in Special:Log
* (bug 1354) Fix linktrail for fo: language
* (bug 512) Reload generated CSS on preference change
* (bug 63) Fix displaying as if logged in after logout
* Set default MediaWiki:Sitenotice to '-', avoiding extra database hits
* Skip message cache initialization on raw page view (quick hack)
* Fix notice errors in wfDebugDieBacktrace() in XML callbacks
* Suppress notice error on bogus timestamp input (returns epoch as before)
* Remove unnecessary initialization and double-caching of parser variables
* Call-tree output mode for profiling
* (bug 730) configurable $wgRCMaxAge; don't try to update purged RC entries
* Add $wgNoFollowLinks option to add rel="nofollow" on external links
~ (on by default)
* (bug 1130) Show actual title when moving page instead of encoded one.
* (bug 925) Fix headings containing <math>
* (bug 1131) Fix headings containing interwiki links
* (bug 1380) Update Nynorsk language file
* (bug 1232) Fix sorting of cached Special:Wantedpages in miser mode
* (bug 1217) Image within an image caption broke rendering
* (bug 1384) Make patrol signs have the same width for page moves as for
edits
* (bug 1364) fix "clean up whitespace" in Title:SecureAndSplit
* (bug 1389) i18n for proxyblocker message
* Add fur/Furlan/Friulian to language names list
* Add TitleMoveComplete hook on page renames
* Allow simple comments for each translation rules in MW:Zhconversiontable
* (bug 1402) Make link color of tab subject page link on talk page
indicate whether article exists
* (bug 1368) Fix SQL error on stopword/short word search w/ MySQL 3.x
* Translated Hebrew namespace names
* (bug 1429) Stop double-escaping of block comments; fix formatting
* (bug 829) Fix URL-escaping on block success
* (bug 1228) Fix double-escaping on & sequences in [enclosed] URLs
* (bug 1435) Fixed many CSS errors
* (bug 1457) Fix XHTML validation on category column list
* (bug 1458) Don't save if edit form submission is incomplete
* Logged-in edits and preview of user CSS/JS are now locked to a session
token.
* Per-user CSS and JavaScript subpage customizations now disabled by
default.
~ They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra precaution.
~ If your web server is configured to serve Ogg files with the correct
~ Content-Type header, you can re-add it in LocalSettings.php:
~ $wgFileExtensions[] = 'ogg';
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=302312
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.4beta6.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAyhRwRnhpk1wk44RAnIUAKDdqRHUZeEM8g9+qazg+9yxtLpMogCgxNGb
0cawqMHSyQSVbc7CFav4hMg=
=qmq7
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.3.10 is a security release.
In earlier 1.3.x releases an attacker could craft a URL which, when
visited by a particular logged-in user, would execute arbitrary
JavaScript code on the user's browser in the wiki's site context. This
attack has been blocked, and as an extra precaution the user CSS and
JavaScript subpage support is now disabled by default. Sites which want
this ability may set $wgAllowUserCss and $wgAllowUserJs in
LocalSettings.php.
Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.
All wikis running 1.3.x are strongly urged to upgrade to 1.3.10.
=== Changes from 1.3.9 ===
* Logged-in edits and preview of user CSS/JS are now locked to a
session token.
* Per-user CSS and JavaScript subpage customizations now disabled by
default. They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra
precaution. If your web server is configured to serve Ogg files with the
correct Content-Type header, you can re-add it in LocalSettings.php:
~ $wgFileExtensions[] = 'ogg';
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=302313
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.10.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAyTSwRnhpk1wk44RAtX7AJkBo1tLdta5ooHjg02ZVdnGpyoQKQCgsG1K
8j2DYMGGs3LbysjOrLCvudA=
=eAx7
-----END PGP SIGNATURE-----