The following extensions had cross-site scripting (XSS) vulnerabilities:
* geo
* MetavidWiki
* wikihiero
These vulnerabilities are exploitable even if the extensions are
disabled. If you have any of these extensions installed, please update
them immediately.
Many shared hosting services have the php.ini setting "register_globals"
enabled, despite the fact that it is known to be detrimental to security.
A new automated vulnerability scanner has found a large number of
security vulnerabilities in MediaWiki extensions, when register_globals
is enabled. Unless you are sure you have register_globals disabled, the
following extensions should be immediately updated:
Cross-site scripting vulnerabilities:
* Call
* ChangeAuthor
* EditOwn
* SignDocument
* TemplateLink
* WatchSubpages
* WhoIsWatching
* php/ext/MediaWiki
Arbitrary script inclusion vulnerabilities:
* CategoryIntersection
* Makebot
* PasswordReset
* regexBlock
* SemanticCalendar
* SemanticForms
* SemanticMediaWiki
* SocialProfile
* SpamRegex
* StalePages
* TodoTasks
* WhiteList
* Wikidata
All these extensions are vulnerable regardless of whether they are
enabled in LocalSettings.php. They only need to be installed, with their
installation directory accessible from the public internet.
Downloads in .tar.gz form for all these MediaWiki extensions are
available from:
http://www.mediawiki.org/wiki/Special:ExtensionDistributor
Or using a subversion client from:
http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions
-- Tim Starling
Ok, the release schedule got disrupted with all the busy Wikimedia
Foundation stuff over the last few months, but we're getting back on
track with this release candidate for the Winter 2008 quarterly release,
MediaWiki 1.12.
There's a *lot* of updates, small and large... Perhaps most significant
is a rewrite of much of the parser, changing how templates and
extensions are expanded. Among other things, this should ensure that
complex mixes of templates and HTML tables should render more similarly
between Wikipedia and default installations of MediaWiki.
For this release candidate, we're very interested to hear back about
regressions or problems with the installer / updaters. Note that, as
with most previous releases, you will have to run the updaters to apply
some database schema updates when you upgrade.
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_0RC1/phase3/RELEASE…
Download:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.0rc1.tar.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.0rc1.tar.gz.sig
SHA-1 checksums:
ee5c298a667b6fa476a5c6de9ddb4c23f2cfd03d mediawiki-1.12.0rc1.tar.gz
MD-5 checksums:
MD5 (mediawiki-1.12.0rc1.tar.gz) = a77fbae59e70f4623564c5d45bb1eb9f
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
-- brion vibber (brion @ wikimedia.org)
Just a notification of a schedule shift:
Since there's still some pretty heavy development activity going on, I'm
going to go ahead and delay the 1.11.0 release until mid-August, after
the Wikimania conference.
This'll give us a chance to iron out the new upload improvements and
other little goodies still going on.
We're definitely interested in feedback from the 1.10.1 point release as
far as installer compatibility -- if there are any problems we'll want
to know to make sure 1.11.0 fixes them.
-- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a bugfix update to the Spring 2007 quarterly release snapshot.
A number of fixes to improve compatibility with PostgreSQL, some
versions of MySQL, and some PHP configurations are included.
Note that the quarterly 1.11.0 release with bigger changes should follow
within the next week or two.
Changes since 1.10.0:
* (bug 9417) Uploading new versions of images when using Postgres no
longer throws warnings.
* (bug 9908) Using tsearch2 with Postgres 8.1 no longer gives an error.
* (bug 9973) Changed size was shown in advanced recentchanges
collapsible items with $wgRCShowChangedSized = false.
* Fixed installation on MyISAM or old InnoDB with charset=utf8, was
giving overlong key errors.
* Fixed zero-padding issues with MySQL 5 binary schema
* (bug 9820) session.save_path check no longer halts installation, but
warns of possible bad values
* (bug 9978) Fixed session.save_path validation when using extended
configuration format, e.g. "5;/tmp"
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_10_1/phase3/RELEASE-NO…
Download:
http://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.1.tar.gzhttp://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.1.patch
(Patch is against 1.10.0)
PGP signature:
http://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.1.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.10/mediawiki-1.10.1.patch.sig
MD5 checksum:
7c8c938cf3ca57cecf6192ca54c33859 mediawiki-1.10.1.tar.gz
f3ca7e3d0ad46117285a11d959b80722 mediawiki-1.10.1.patch
SHA-1 checksum:
16429c3a611dec82c0cfd998180190544982a5ee mediawiki-1.10.1.tar.gz
f50260426645d62bc1c781ebf2a3267c68cac9a9 mediawiki-1.10.1.patch
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGl9tdwRnhpk1wk44RAjbbAJ4/zvfkriUtJYrM9QDHFpjyEYvTLACePpno
BEt2F1NZhLH7knPYT6cA3mE=
=avkV
-----END PGP SIGNATURE-----