MediaWiki-announce August 2005

mediawiki-announce@lists.wikimedia.org

1 participants
4 discussions

MediaWiki 1.5rc4, 1.4.9, 1.3.15 released [SECURITY]
by Brion Vibber 29 Aug '05

29 Aug '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 These are security and maintenance releases, which fix two cross-site scripting bugs. All internet-facing wikis are recommended to upgrade to the current release in their series. Incorrect handling of <math> tags when TeX rendering is disabled, as in the default configuration. (Wikis where the optional math support has been *enabled* are not vulnerable.) * 1.5 vulnerable: <= 1.5rc3 fixed: >= 1.5rc4 * 1.4 vulnerable: <= 1.4.8 fixed: >= 1.4.9 * 1.3 vulnerable: <= 1.3.14 fixed: >= 1.3.15 Incorrect handling of <nowiki> and extension tags in table styles: * 1.5 vulnerable: <= 1.5rc3 fixed: >= 1.5rc4 * 1.4 vulnerable: <= 1.4.8 fixed: >= 1.4.9 * 1.3 not vulnerable Additionally, 1.5rc4 fixes some compatibility issues with PHP 5.1 beta. Release notes: 1.5rc4 http://sourceforge.net/project/shownotes.php?release_id=352778 1.4.9 http://sourceforge.net/project/shownotes.php?release_id=352777 1.3.15 http://sourceforge.net/project/shownotes.php?release_id=352776 Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc4.tar.gz?downlo… http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.9.tar.gz?download http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.15.tar.gz?downlo… File checksums: MD5 (mediawiki-1.5rc4.tar.gz) = 5a27beedfa4107813296307fe52b20ad MD5 (mediawiki-1.4.9.tar.gz) = fae30b065d08152735b2c2edd61aadf4 MD5 (mediawiki-1.3.15.tar.gz) = f1279514435143bd6840e1d570d8c4f4 Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikimedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDE6oqwRnhpk1wk44RAmdEAKCOpHUv6+k37TlDCjxS9FCaJU1qJgCfTB/f eJmxsPTk1GVEq9DHDF8X86s= =euNq -----END PGP SIGNATURE-----

1 0

MediaWiki 1.5rc3 released [SECURITY]
by Brion Vibber 25 Aug '05

25 Aug '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MediaWiki 1.5rc3 is a preview release of the new 1.5 release series. It fixes several major problems in 1.5rc2: * Fixed a cross-site scripting injection in the search form ~ (broken since 1.5beta1) * Fixed upgrades from 1.4 database schema ~ (broken since 1.5rc2) 1.3 and 1.4 releases are not vulnerable to the XSS bug, but anyone running an earlier 1.5 beta or release candidate should upgrade immediately. Release notes: http://sourceforge.net/project/shownotes.php?release_id=351567 Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc3.tar.gz?downlo… MD5 checksum: mediawiki-1.5rc3.tar.gz fd051830057a1b5e7ea7032933a9cd6c Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikimedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDWMFwRnhpk1wk44RAswfAJ0WaOUa7rhM//5COGagr1X3+AbDTwCdHi3i d+ec3oNmRUpaHK3t6j7QcMg= =IFQo -----END PGP SIGNATURE-----

1 0

MediaWiki 1.5rc2 released (package fix)
by Brion Vibber 23 Aug '05

23 Aug '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MediaWiki 1.5rc1 release package was mistakenly built from the development source tree rather than the 1.5 release source tree. If you find yourself with a site claiming to be "1.6alpha" at Special:Version, you might be slightly more avant garde than you had intended. :) A corrected 1.5rc2 package from the 1.5 release branch has been uploaded. Release notes: http://sourceforge.net/project/shownotes.php?release_id=351309 Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc2.tar.gz?downlo… MD5 checksums: mediawiki-1.5rc2.tar.gz d3855d011ad3e860d98e2e9ae5178cbd Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikimedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDC+q/wRnhpk1wk44RAlA/AJ9M4wzioTdabfhmEE1NpSToKJJKrQCfVNRZ scXgCUChFitC1rVzvUoUhpM= =fsyr -----END PGP SIGNATURE-----

1 0

MediaWiki 1.3.14, 1.4.8, 1.5rc1 released [SECURITY]
by Brion Vibber 23 Aug '05

23 Aug '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MediaWiki 1.5rc1 is a preview release of the new 1.5 release series. Numerous bug fixes since last beta, plus a security fix; see change log in the release notes for full details. A flaw in the interaction between extensions and HTML attribute sanitization was discovered which could allow unauthorized use of offsite resources in style sheets, and possible exploitation of a JavaScript injection feature on Microsoft Internet Explorer. This version expands the returned text and properly checks it before output. MediaWiki 1.4.8 is a bug fix and security maintenance release. It fixes the above bug, plus an update to skins/MonoBook.php ensures that sites using the default MonoBook skin will display correctly in the Internet Explorer 7 beta. (1.3 and 1.5 are not affected by this display problem.) MediaWiki 1.3.14 is a security maintenance release. The 1.3.x series is no longer maintained except for security fixes; new users and those seeking bug fixes should upgrade to 1.4.8 or 1.5rc1. Existing 1.3.x installations not willing to upgrade to the current stable relase should apply the change manually; details are in the release notes. If you are actively using extensions to generate HTML attribute values, upgrade to 1.4 or 1.5 for a full fix; 1.3.14 simply disables any attempt to use such. Release notes: 1.5rc1: http://sourceforge.net/project/shownotes.php?release_id=351260 1.4.8: http://sourceforge.net/project/shownotes.php?release_id=351258 1.3.14: http://sourceforge.net/project/shownotes.php?release_id=351257 Download: http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc1.tar.gz?downlo… http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.8.tar.gz?download http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.14.tar.gz?downlo… MD5 checksums: mediawiki-1.5rc1.tar.gz f8b61f0cdac4ed8a7ed7aecf02d3bc78 mediawiki-1.4.8.tar.gz 69112673e0599049dc962d4c904feb6b mediawiki-1.3.14.tar.gz 2d65015aff380620434e381a4d60b57a Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikimedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDC6prwRnhpk1wk44RAr3YAJ9Aqw7b3cQ6COpMvixX5ty1NEEJRACgi0rK c5kgvf2tc/DMeMkFtI8TZqQ= =oHMy -----END PGP SIGNATURE-----

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

MediaWiki-announce August 2005