I'm happy to announce the availability of the second beta release of the
new MediaWiki 1.19 release series.
Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.
MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.
Five security issues were discovered.
It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki.
Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.
Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
*********************************************************************
What's new?
*********************************************************************
MediaWiki 1.19 brings the usual host of various bugfixes and new features.
Comprehensive list of what's new is in the release notes.
* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
and render as PNG by default.
* MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
is used (used in the API and the Interwiki extension).
Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
content language.
* Time and number-formatting magic words also now depend on the page
content language.
* Bidirectional support further improved after 1.18.
Release notes
- -------------
Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.19;hb=1.19.0beta2
https://www.mediawiki.org/wiki/Release_notes/1.19
Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.
Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.
Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.
To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
More information is available at https://www.mediawiki.org/wiki/Git
For more help, please visit the #mediawiki IRC channel on freenode.netirc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l(a)lists.wikimedia.org.
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz
Patch to previous version (1.19.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si
g
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz.
sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
I would like to announce the release of MediaWiki 1.18.2. Five security
issues were discovered.
It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki.
Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.
Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.18;hb=1.18.2
https://www.mediawiki.org/wiki/Release_notes/1.18
Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.
Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.
Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.
To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
More information is available at https://www.mediawiki.org/wiki/Git
For more help, please visit the #mediawiki IRC channel on freenode.netirc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l(a)lists.wikimedia.org.
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz
Patch to previous version (1.18.1), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz.sighttp://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz.
sig
Public keys:
https://secure.wikimedia.org/keys.html
I would like to announce the release of MediaWiki 1.17.3. Five security
issues were discovered.
It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212
It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907
Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki.
Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317
George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.
Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315
Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES;hb=1.17.3
https://www.mediawiki.org/wiki/Release_notes/1.17
Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.
Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.
Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.
To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git
More information is available at https://www.mediawiki.org/wiki/Git
For more help, please visit the #mediawiki IRC channel on freenode.netirc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l(a)lists.wikimedia.org.
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.tar.gz
Patch to previous version (1.17.2), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.3.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.patch.gz.sighttp://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.3.patch.gz.
sig
Public keys:
https://secure.wikimedia.org/keys.html
I'm happy to announce the availability of the first beta release of the new
MediaWiki
1.19 release series.
Please try it out and let us know what you think. Don't run it on any wikis
that you really
care about, unless you are both very brave and very confident in your
MediaWiki
administration skills.
MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a
summary of the major changes of interest to users. You can consult the
RELEASE-NOTES-1.19 file for the full list of changes in this version.
*********************************************************************
What's new?
*********************************************************************
MediaWiki 1.19 brings the usual host of various bugfixes and new features.
Comprehensive list of what's new is in the release notes.
* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
and render as PNG by default.
* MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
is used (used in the API and the Interwiki extension).
Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
content language.
* Time and number-formatting magic words also now depend on the page
content language.
* Bidirectional support further improved after 1.18.
Release notes
- -------------
Full release notes:
https://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_19_0beta1/phase3/RELEA
SE-NOTES-1.19
https://www.mediawiki.org/wiki/Release_notes/1.19
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta1.tar.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta1.tar.gz.si
g
Public keys:
https://secure.wikimedia.org/keys.html
We are proud to announce the first stable release of the 1.18 series.
*********************************************************************
What's new?
*********************************************************************
MediaWiki 1.18 brings the usual host of various bugfixes and new
features.
jQuery 1.6.4 is now included as standard, along with numerous
more jQuery plugins.
Breaking changes:
* action=watch / action=unwatch now requires a token
As of 1.18, some commonly used extensions are now being included in the
released tarball; this is allow ease
of installation of these extensions in new MediaWiki installs. If you
already use the extension just replace
the files like you have done for MediaWiki iteself. The following extensions
are bundled with MediaWiki as of
1.18. All are currently in use on Wikimedia sites.
* ConfirmEdit Various CAPTCHA techniques to try to prevent spambots and
other automated tools from editing your wiki.
* Gadgets A system to allow users to enable or disable JavaScript or CSS
tools made available to users site-wide.
* Nuke A special page allowing administrators to mass-delete content added
by a spammer or vandal.
* ParserFunctions Additional parser functions (like #if and #switch to
supplement the "magic words" present in MediaWiki.
* Renameuser A special page which allows authorized users to rename user
accounts.
* Vector Enhancements to the Vector skin.
* WikiEditor An improved and customizable editing toolbar developed along
the Vector skin.
Major features
-- ------------
Better gender support
-- -------------------
Until version 1.17, MediaWiki used neutral nouns to address and identify
users on their user page.
In English, this was not an issue since "User" matches both genders, but in
some languages the
neutral gender is always masculine; for example, this would cause
French-speaking female
Wikipedia users to be referred to as "Utilisateur" (male user) instead of
"Utilisatrice" (female user).
With version 1.18, user pages reflect the user's gender, if they have
specified it in their preferences.
More gender support (for instance in logs and user lists) will be available
in MediaWiki 1.19.
Improved file metadata support
-- -----------------------------
MediaWiki now detects the camera orientation from Exif metadata, and rotates
the
picture preview accordingly. The original file remains unchanged.
The overall metadata support in MediaWiki has been greatly extended.
Previously, MediaWiki could only
extract limited Exif metadata, and showed a subset of it on file description
pages. Since 1.18, MediaWiki
can extract IPTC and XMP metadata from uploaded files, and more Exif
information. This includes an
embedded description, author information, GPS coordinates, or copyright
statement.
Improved directionality support
-- -------------------------------
A lot of work has been done to fix directionality bugs (Left-To-Right,
Right-To-Left). Most notably bug 6100 is
fixed, which allows to display an RTL interface on an LTR wiki properly (and
vice versa). This was developed
under $wgBetterDirectionality, which is now no longer used because the
improvements are merged with the core code.
A positive consequence is that the page content on wikis with multiple
scripts is aligned according to the
direction of the selected variant. For example, on a Kazakh language wiki,
selecting the Arabic script
variant will align the text as RTL, while selecting the Latin or Cyrillic
variant will align it as LTR.
Easily find where to customize interface messages
-------------------------------------------------
MediaWiki allows you to customize the user interface by editing pages in the
MediaWiki namespace.
However, even though they can be viewed at Special:AllMessages] the sheer
number of these messages
makes it difficult to find which one needs to be customized. In MediaWiki
1.18, a new pseudo-language
is introduced (qqx) to help people find such messages, by displaying the
messages' key instead of the
actual messages. All one has to do is append ?uselang=qqx to the page's
index.php/
URL
(see https://www.mediawiki.org/w/index.php?title=MediaWiki_1.18&uselang=qqx
as an example).
New plugin for collapsible elements
-- -----------------------------------
The new jQuery.makeCollapsible allows you to create collapsible tables,
lists and so on,
by adding the class mw-collapsible to the elements.
See the manual for
details: https://www.mediawiki.org/wiki/Manual:Collapsible_elements
Protocol-relative URLs
-- ----------------------
MediaWiki now supports protocol - relative URLs in links, interwiki targets
and $wgServer.
Protocol-relative URLs look like //example.com/wiki/Foo ; the browser will
recognize this
as http://example.com/wiki/Foo when following a link from an HTTP page, and
https://example.com/wiki/Foo when following a link from an HTTPS page.
This way, protocol-relative URLs enable a wiki to support HTTP and HTTPS
while serving
the same HTML for both, which means the parser cache doesn't have to be
split.
More personalisable styles and scripts
-- --------------------------------------
MediaWiki now automatically loads javascript and stylesheets more specific
to each user.
There is a separate CSS and JS file for each usergroup
(MediaWiki:Group-sysop.css,
MediaWiki:Group-autoconfirmed.js, etc), and also a CSS file for users
viewing without
JavaScript (MediaWiki:Noscript.css).
Other changes
-- -------------
$wgEnableDublinCoreRdf and $wgEnableCreativeCommonsRdf no longer
work in core, and the functionality has been moved to the relevant
extensions.
See http://www.mediawiki.org/wiki/Extension:DublinCoreRdf and
http://www.mediawiki.org/wiki/Extension:CreativeCoreRdf as appropriate
Math
- ----
$wgUseTeX has been superseded by the Math extension. To re-enable
math conversion after upgrading, obtain the Math extension from SVN or from
http://www.mediawiki.org/wiki/Extension:Math and add to LocalSettings.php:
require_once "$IP/extensions/Math/Math.php";
Language support
- ----------------
As with every release, MediaWiki 1.18 brings improved support for
languages in MediaWiki, with improved translation and features for
the many supported languages.
New languages:
* Angika (anp)
* Brahui (brh)
* Central Dusun (dtp)
* Jamaican Creole English (jam)
* Khowar (khw)
* Liv (liv)
* Kichwa (qug)
API
- ---
API bug fixes and new features have been added to 1.18, providing
more options for input and output.
* API modules were added to access QueryPage based special
pages, to Compare pages, Revert files, and to be able to access
other special pages such as Special:UnwatchedPages,
Special:MimeSearch and Special:ActiveUsers
* The output of the generated help page has been improved
The API contains a breaking changes against previous releases:
* action=watch now requires POST and token.
Other
- -----
Our thanks go to everyone who helped to improve MediaWiki
by testing the beta release and submitting bug reports and patches.
For more information about what's new in the MediaWiki 1.17 branch, see:
http://www.mediawiki.org/wiki/MediaWiki_1.17
Frequently asked questions about upgrading:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading
Changes since 1.18.0rc1
-- ---------------------------
* (bug 32228) regression in Special:Search which did not conserve profile on
new search
* (bug 32460) Categories were improperly aligned in Simple and CologneBlue
* (bug 32412) TOC links on [[Special:EditWatchlist]] points to the fieldsets
* (bug 32582) Fix TOC show/hide link regression on IE 8
Release notes
- -------------
Complete release notes are at
http://www.mediawiki.org/wiki/Release_notes/1.18
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0.tar.gz
Patch to previous version (1.18.0rc1), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.0.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0.patch.gz.sighttp://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.0patch.gz.s
ig
Public keys:
https://secure.wikimedia.org/keys.html