I'm happy to announce the availability of the first release candidate of the
new MediaWiki 1.18 release series.
Please try it out and let us know what you think. Don't run it on any wikis
that you really care about, unless you are both very brave and very
confident in your MediaWiki administration skills.
MediaWiki 1.18 is a large release that contains many new features and bug
fixes. This is a summary of the major changes of interest to users. You can
consult the RELEASE-NOTES file for the full list of changes in this version.
*********************************************************************
What's new?
*********************************************************************
MediaWiki 1.18 brings the usual host of various bugfixes and new features.
jQuery 1.6.4 is now included as standard, along with numerous more jQuery
plugins.
Breaking changes:
* action=watch / action=unwatch now requires a token
As of 1.18, some extensions are now being bundled with the released tarball.
The following extensions are bundled with MediaWiki as of 1.18. All are
currently in use on Wikimedia sites.
* ConfirmEdit - Various CAPTCHA techniques to try to prevent spambots and
other automated tools from editing your wiki.
* Gadgets - A system to allow users to enable or disable JavaScript or
CSS tools made available to users site-wide.
* Nuke - A special page allowing administrators to mass-delete content
added by a spammer or vandal.
* ParserFunctions - Additional parser functions (like #if and #switch to
supplement the "magic words" present in MediaWiki.
* Renameuser - A special page which allows authorized users to rename
user accounts.
* Vector - Enhancements to the Vector skin.
* WikiEditor - An improved and customizable editing toolbar developed
along the Vector skin.
Major features
- --------------
Better gender support
-- ---------------------
Until version 1.17, MediaWiki used neutral nouns to address and identify
users on their user page.
In English, this was not an issue since "User" matches both genders, but in
some languages the neutral gender is always masculine; for example, this
would cause French-speaking female Wikipedia users to be referred to as
"Utilisateur" (male user) instead of "Utilisatrice" (female user).
With version 1.18, user pages reflect the user's gender, if they have
specified it in their preferences.
More gender support (for instance in logs and user lists) will be available
in MediaWiki 1.19.
Improved file metadata support
-- -----------------------------
MediaWiki now detects the camera orientation from Exif metadata, and
rotates the picture
preview accordingly. The original file remains unchanged.
The overall metadata support in MediaWiki has been greatly extended.
Previously, MediaWiki could only
extract limited Exif metadata, and showed a subset of it on file
description pages. Since 1.18, MediaWiki can extract IPTC and XMP metadata
from uploaded files, and more Exif information. This includes an embedded
description, author information, GPS coordinates, or copyright statement.
Improved directionality support
-- -------------------------------
A lot of work has been done to fix directionality bugs (Left-To-Right,
Right-To-Left). Most notably bug 6100 is fixed, which allows to display an
RTL interface on an LTR wiki properly (and vice versa). This was developed
under $wgBetterDirectionality, which is now no longer used because the
improvements are merged with the core code.
A positive consequence is that the page content on wikis with multiple
scripts is aligned according to the direction of the selected variant. For
example, on a Kazakh language wiki, selecting the Arabic script variant will
align the text as RTL, while selecting the Latin or Cyrillic variant will
align it as LTR.
Easily find where to customize interface messages
-- ---------------------------------------------
MediaWiki allows you to customize the user interface by editing pages in the
MediaWiki namespace.
However, even though they can be viewed at Special:AllMessages] the sheer
number of these messages makes it difficult to find which one needs to be
customized. In MediaWiki 1.18, a new pseudo-language is introduced (qqx) to
help people find such messages, by displaying the messages' key instead of
the actual messages. All one has to do is append ?uselang=qqx to the page's
index.php/ URL (see
https://www.mediawiki.org/w/index.php?title=MediaWiki_1.18&uselang=qqx as an
example).
New plugin for collapsible elements
-- -----------------------------------
The new jQuery.makeCollapsible allows you to create collapsible tables,
lists and so on, by adding the class mw-collapsible to the elements.
See the manual for details:
https://www.mediawiki.org/wiki/Manual:Collapsible_elements
Protocol-relative URLs
-- ----------------------
MediaWiki now supports protocol- relative URLs in links, interwiki targets
and $wgServer.
Protocol-relative URLs look like //example.com/wiki/Foo ; the browser will
recognize this as http://example.com/wiki/Foo when following a link from an
HTTP page, and https://example.com/wiki/Foo when following a link from an
HTTPS page.
This way, protocol-relative URLs enable a wiki to support HTTP and HTTPS
while serving the same HTML for both, which means the parser cache doesn't
have to be split.
More personalisable styles and scripts
-- --------------------------------------
MediaWiki now automatically loads javascript and stylesheets more specific
to each user.
There is a separate CSS and JS file for each usergroup
(MediaWiki:Group-sysop.css, MediaWiki:Group-autoconfirmed.js, etc), and also
a CSS file for users viewing without JavaScript (MediaWiki:Noscript.css).
Other changes
-- -------------
$wgEnableDublinCoreRdf and $wgEnableCreativeCommonsRdf no longer work in
core, and the functionality has been moved to the relevant extensions.
See http://www.mediawiki.org/wiki/Extension:DublinCoreRdf and
http://www.mediawiki.org/wiki/Extension:CreativeCoreRdf as appropriate
Math
- ----
$wgUseTeX has been superseded by the Math extension. To re-enable math
conversion after upgrading, obtain the Math extension from SVN or from
http://www.mediawiki.org/wiki/Extension:Math and add to LocalSettings.php:
require_once "$IP/extensions/Math/Math.php";
Language support
- ----------------
As with every release, MediaWiki 1.18 brings improved support for languages
in MediaWiki, with improved translation and features for the many supported
languages.
New languages:
* Angika (anp)
* Brahui (brh)
* Central Dusun (dtp)
* Jamaican Creole English (jam)
* Khowar (khw)
* Liv (liv)
* Kichwa (qug)
API
- ---
API bug fixes and new features have been added to 1.18, providing more
options for input and output.
* API modules were added to access QueryPage based special
pages, to Compare pages, Revert files, and to be able to access
other special pages such as Special:UnwatchedPages,
Special:MimeSearch and Special:ActiveUsers
* The output of the generated help page has been improved
The API contains a breaking changes against previous releases:
* action=watch now requires POST and token.
Other
- -----
Our thanks go to everyone who helped to improve MediaWiki by testing the
beta release and submitting bug reports and patches.
Release notes
- -------------
Complete release notes are at
http://www.mediawiki.org/wiki/Release_notes/1.18
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0rc1.tar.gz
Patch to previous version (1.18.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0rc1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.0rc1.patch.
gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0rc1.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0rc1.patch.gz.si
g
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.0rc1.patch.
gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.18 release series.
Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.
MediaWiki 1.18 is a large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.
*********************************************************************
What's new?
*********************************************************************
MediaWiki 1.18 brings the usual host of various bugfixes and new
features.
jQuery 1.6.4 is now included as standard, along with numerous
more jQuery plugins
Breaking changes:
* action=watch / action=unwatch now requires a token
As of 1.18 extensions are now being bundled with the releaset tarball.
MediaWiki 1.18 bundles:
* ConfirmEdit
* Gadgets
* Nuke
* ParserFunctions
* Renameuser
* Vector
* WikiEditor
$wgEnableDublinCoreRdf and $wgEnableCreativeCommonsRdf no longer
work in core, and the functionality has been moved to the relevant
extensions.
See http://www.mediawiki.org/wiki/Extension:DublinCoreRdf and
http://www.mediawiki.org/wiki/Extension:CreativeCoreRdf as appropriate
Math
- ----
$wgUseTeX has been superseded by the Math extension. To re-enable
math conversion after upgrading, obtain the Math extension from SVN or from
http://www.mediawiki.org/wiki/Extension:Math and add to LocalSettings.php:
require_once "$IP/extensions/Math/Math.php";
Language support
- ----------------
As with every release, MediaWiki 1.18 brings improved support for
languages in MediaWiki, with improved translation and features for
the many supported languages.
New languages:
* Angika (anp)
* Brahui (brh)
* Central Dusun (dtp)
* Jamaican Creole English (jam)
* Khowar (khw)
* Liv (liv)
* Kichwa (qug)
API
- ---
API bug fixes and new features have been added to 1.18, providing
more options for input and output.
* API modules were added to access QueryPage based special
pages, to Compare pages, Revert files, and to be able to access
other special pages such as Special:UnwatchedPages,
Special:MimeSearch and Special:ActiveUsers
* The output of the generated help page has been improved
The API contains a breaking changes against previous releases:
* action=watch now requires POST and token.
Release notes
- -------------
Complete release notes are at
http://www.mediawiki.org/wiki/Release_notes/1.18
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0beta1.tar.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.0beta1.tar.gz.si
g
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We are proud to announce the first stable release of the 1.17 series.
Selected changes since MediaWiki 1.16 that may be of interest:
* A new installer has been introduced. It has a wizard-style interface
which is translated into many languages. Many shortcomings in the old
installer were addressed with this rewrite. Note that it is no longer
required for the config directory to be made writable by the webserver.
Instead the generated LocalSettings.php file is offered as a download,
which you must then upload to the wiki's base directory.
* ResourceLoader, a new framework for delivering client-side resources
such as JavaScript and CSS, has been introduced. These resources are
now delivered through the new entry point script "load.php", instead of
as static files served directly by the web server. This allows
minification, compression and client-side caching to be used more
effectively, which should provide a net performance improvement for
most users.
* Category sorting has been improved.
* Sorting is now case insensitive.
* Sub-categories, pages and files can now be paged separately.
* When several pages are given the same sort key, they sort by their
names instead of randomly.
* The lowest supported version of PHP is now 5.2.3. If necessary, please
upgrade PHP prior to upgrading MediaWiki.
* Oracle Database support has been improved, and is now ready for beta
testing. If you work in an environment where Oracle is readily
available, and you can't get access to MySQL, this may be a useful
alternative for you. Please try it out and let us know if it works for
you. Oracle support is not yet recommended for use in production.
For more information about what's new in the MediaWiki 1.17 branch, see:
http://www.mediawiki.org/wiki/MediaWiki_1.17
Frequently asked questions about upgrading:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading
Changes since 1.17.0rc1:
* Fixed syntax error in generated LocalSettings.php when a non-default
user rights profile is chosen.
* (bug 29399) Fixed PostgreSQL installation when the DB user for
installation is the same as the one for web access.
* (bug 29233) Fixed failover for DB slave servers. When a DB slave
went down, an error was immediately shown to the user, instead of
trying another slave. Was broken since 1.17 beta 1.
* (bug 29278) Fixed PHP fatal error when attempting to add text to a
page via a redirect.
* (bug 29408) Fixed uploads of files with MIME types that aren't
detected by MediaWiki.
Full release notes:
http://www.mediawiki.org/wiki/Release_notes/1.17
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz
Patch to previous version (1.17.0rc1):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.patch.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4BdgAACgkQgkA+Wfn4zXkHuACfRZ4ih2jCGLF2mpzn85iCifzk
vUcAnj8Unua4E4p0uyOeXh96Jqb14pkY
=E8Vn
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.
Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.
MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.
*********************************************************************
What's new?
*********************************************************************
PHP 5.2.3
- ---------
We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check your PHP installation and contact
your host if it runs an outdated PHP version.
New installer
- -------------
MediaWiki 1.17 is shipping with a completely redesigned installer to
fix a lot of outstanding bugs, clean up the code quality, and make
it easier to use. Notably, you can now run upgrades from the web
without having to move LocalSettings.php. A couple of other notable
changes:
* The installer can now be fully localized like the rest of the
software and contains numerous help dialogs.
* The installer script directory has been renamed from config/
to mw-config/.
* You now download your generated LocalSettings.php at install
completion, rather than writing it straight to the
configuration directory. The previous behavior was a security
risk.
* IBM DB2 and MSSQL support were dropped from the installer.
ResourceLoader
- --------------
As web browsers have become more capable, the software that
MediaWiki runs on them has become more complex. This trend has
resulted in developers needing an efficient way to package and
deliver code to web browsers. To address this, MediaWiki 1.17
ships with ResourceLoader: a framework which combines and minifies
CSS and JavaScript before delivering them to the web browser.
ResourceLoader improves performance, while also making it easier to
write client-side features. ResourceLoader allows developers to
organize scripts, styles, and messages into named modules. Any
number of modules can be loaded through a single request, improving
page load times. Code is minified automatically and loaded when
needed, reducing unnecessary downloads. Other advanced features
include the ability embed images in style sheets using data URIs, or
automatically flipping horizontal information in style sheets for
right-to-left user interfaces.
Category sorting
- ----------------
Category sorting has been drastically improved.
* Sorting is now case insensitive.
* Sub-categories, pages and files can now be paged separately.
* When several pages are given the same sort key, they sort by
their names instead of randomly.
Language support
- ----------------
As with every release, MediaWiki 1.17 brings improved support for
languages in MediaWiki, with improved translation and features for
the many supported languages.
New languages:
* Moroccan Spoken Arabic (ary)
* Banjar (bjn)
* Kabardian (Cyrillic) (kbd-cyrl)
* Latgalian (ltg)
* Minangkabau (min)
* Dutch (informal) (nl-informal)
* Rusyn (rue)
API
- ---
API bug fixes and new features have been added to 1.17, providing
more options for input and output.
* API output can now be formatted by PHP's var_export() (format
type is dbg/dbgfm).
* An API module was added to list page properties.
* PARAM_REQUIRED can now be used on parameters, to have the API
enforce existence before code even reaches the module.
* The API now has a Really Simple Discovery module, useful for
publishing service information by the API.
The API contains 3 breaking changes against previous releases:
* action=patrol now requires POST.
* The patrol token is no longer the same as edit token.
* Session keys returned by ApiUpload are now strings instead of
integers.
Other
- -----
* Interwiki links in articles are now recorded in a separate
table.
* Users can now add CSS and JS to all skins by using
User:<name>/common.css and User:<name>/common.js.
Release notes
- -------------
Complete release notes are at
http://www.mediawiki.org/wiki/Release_notes/1.17
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0beta1.tar.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0beta1.tar.gz.s…
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3CmmwACgkQgkA+Wfn4zXl+EwCfZqqPPuFrSSF68hxzQfM6SXgr
gH0An2xr18+vNml2pv0D4XSPuLRDf/ie
=m5Rw
-----END PGP SIGNATURE-----
Our patch for the Internet Explorer 6 XSS issue (bug 28235) released
two days ago in 1.16.3 was insufficient to fix that bug. The original
reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we
are doing another release, which contains a second attempt at fixing
the issue.
Apologies to everyone for the inconvenience. Big thanks go to Masato
Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan
Kattouw who helped me test the patch this time around, so that we can
hopefully avoid a repeat.
It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for
Internet Explorer clients, version 6 and earlier. Also, if you used
the Apache configuration I suggested in the previous release
announcement, you should update it to:
RewriteEngine On
RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
RewriteRule . - [forbidden]
We missed the fact that there can be more than one question mark in a
URL. In certain circumstances, IE 6 will use a file extension
immediately before a question mark character, regardless of how many
question marks precede it. For example, with the URL:
http://example.com/a?b?c.html?d?e
IE 6 will see the file extension as ".html".
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz
Patch to previous version (1.16.3):
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would like to announce the release of MediaWiki 1.16.3, which is a
security release. Three security issues were discovered.
Masato Kinugawa discovered a cross-site scripting (XSS) issue, which
affects Internet Explorer clients only, and only version 6 and
earlier. Web server configuration changes are required to fix this
issue. Upgrading MediaWiki will only be sufficient for people who use
Apache with AllowOverride enabled.
Due to the diversity of uploaded files that we allow, MediaWiki does
not guarantee that uploaded files will be safe if they are interpreted
by the client as some arbitrary file type, such as HTML. We rely on
the web server to send the correct Content-Type header, and we rely on
the web browser to respect it. This XSS issue arises due to IE 6
looking for a file extension in the query string of the URL (i.e.
after the "?"), if no extension is found in path part of the URL.
Masato Kinugawa discovered that the file extension in the path part
can be hidden from IE 6 by substituting the "." with "%2E".
To fix this issue, configure your web server to deny requests with
URLs that have a path part ending in a dot followed by a dangerous
file extension. For example, in Apache with mod_rewrite:
RewriteEngine On
RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
RewriteRule . - [forbidden]
Upgrading MediaWiki is necessary to fix this issue in
dynamically-generated content. This issue is easier to exploit using
dynamically generated content, since it requires no special
privileges. Accounts on both public and private wikis can be
compromised by clicking a malicious link in an email or website. For
more details, see bug 28235.
Wikipedia user Suffusion of Yellow discovered a CSS validation error
in the wikitext parser. This is an XSS issue for Internet Explorer
clients, and a privacy loss issue for other clients since it allows
the embedding of arbitrary remote images. For more details, see bug 28450.
MediaWiki developer Happy-Melon discovered that the transwiki import
feature neglected to perform access control checks on form submission.
The transwiki import feature is disabled by default. If it is enabled,
it allows wiki pages to be copied from a remote wiki listed in
$wgImportSources. The issue means that any user can trigger such an
import to occur. For more details, see bug 28449.
The localisations were updated using content from translatewiki.net.
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.tar.gz
Patch to previous version (1.16.2), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.3.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.patch.gz.sighttp://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.3.patch.gz…
Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk2jxbAACgkQgkA+Wfn4zXn38gCWISDEZuC+Ap3Z4aBfibnuNSU1
EgCfeL2lo/4XtCuoKOwah0YbuaHyf5I=
=S2JZ
-----END PGP SIGNATURE-----
If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.
CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.
PHP release announcement:
http://www.php.net/archive/2011.php#id2011-01-06-1
Updated Ubuntu packages:
http://www.ubuntu.com/usn/usn-1042-1
-- Tim Starling