-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
February 20, 2007
MediaWiki 1.9.3 is a security and bug-fix update to the Winter 2007
quarterly release. Minor compatibility fixes for IIS and PostgreSQL are
included.
An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.
If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10
There is no known danger in the default configuration, with $wgUseAjax off.
* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
* (bug 8984) Fix a database error in Special:Recentchangeslinked
when using the PostgreSQL database.
* Add 'charset' to Content-Type headers on various HTTP error responses
to forestall additional UTF-7-autodetect XSS issues. PHP sends only
'text/html' by default when the script didn't specify more details,
which some inconsiderate browsers consider a license to autodetect
the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE
when $wgUseAjax is enabled (not default configuration); this UTF-7
variant on a previously fixed attack vector was discovered by Moshe BA
from BugSec: http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_3/phase3/RELEASE-NOT…
Download:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.3.tar.gz
Patch against 1.9.2:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.3.patch
Downloads, checksums, and GPG signatures for all versions:
http://download.wikimedia.org/mediawiki/1.9/http://download.wikimedia.org/mediawiki/1.8/http://download.wikimedia.org/mediawiki/1.7/http://download.wikimedia.org/mediawiki/1.6/
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF27NDwRnhpk1wk44RAhmmAKCVZNGTidpNmCJUwUs5JA1CIJL3OwCfUsxy
uny25mn0vihjgNoDxl2ZDiw=
=bvTp
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
January 24, 2007
This is a bug-fix update that fixes some installation and upgrade issues
with the original 1.9.0 release.
* (bug 3000) Fall back to SCRIPT_NAME plus QUERY_STRING when REQUEST_URI
is not available, as on IIS with PHP-CGI
* Security fix for DjVu images. (Only affects servers where .djvu file
uploads are enabled and $wgDjvuToXML is set.)
* (bug 8638) Fix update from 1.4 and earlier
* (bug 8641) Fix order of updates to ipblocks table for updates from <=1.7
* (bug 8673) Minor fix for web service API content-type header
* Fix API revision list on PHP 5.2.1; bad reference assignment
* Fixed up the AjaxSearch
* Exclude settings files when generating documentation. That could
expose the database user and password to remote users.
* ar: fix the 'create a new page' on search page when no exact match found
* Correct tooltip accesskey hint for Opera on the Macintosh (uses
Shift-Esc-, not Ctrl-).
* (bug 8719) Firefox release notes lie! Fix tooltips for Firefox 2 on
x11; accesskeys default settings appear to be same as Windows.
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_1/phase3/RELEASE-NOT…
Download:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.1.tar.gzhttp://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.1.patch
MD5 checksum:
89f77d8f39fbefa4325e0fe4d06746c7 mediawiki-1.9.1.tar.gz
e9e3785068f9edc6169c4215bc65eff0 mediawiki-1.9.1.patch
SHA-1 checksum:
11418c10ac59c044ece1cc0dd20a32c74b96ec86 mediawiki-1.9.1.tar.gz
6eaf11390c1aaea87ff48d798f7fe564a341f249 mediawiki-1.9.1.patch
PGP signatures:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.1.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.1.patch.sig
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFtyKJwRnhpk1wk44RAmIQAJsH/xB/lV+/gFHAbhEVWsXv1yoMLgCfWChB
r3LSI7FwfucNJ4qOliFJ8QA=
=rKzE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
January 10, 2007
MediaWiki 1.9.0 is the quarterly release snapshot for Winter 2007. While
the code has been running on Wikipedia for some time, installation and
upgrade bits may be less well tested. Bug fix releases may follow in the
coming days or weeks.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a
year from first release, but nonessential bugfixes and feature
development happen will be made on the development trunk and appear in
the next quarterly release.
Those wishing to use the latest code instead of a branch release can
obtain it from source control:
http://www.mediawiki.org/wiki/Download_from_SVN
1.9 includes a number of compatibility fixes since 1.8 as well as many
bug fixes and some new features, so all users who can run PHP 5 are
strongly encouraged to upgrade.
There are no changes from 1.9.0rc2 to 1.9.0 final except the version number.
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0/phase3/RELEASE-NOT…
Download:
http://sourceforge.net/project/showfiles.php?group_id=34373
MD5 checksums:
cb58560858e2b85ac7b94097ad3e4531 mediawiki-1.9.0.tar.gz
SHA-1 checksums:
c60e212ae5c02501405d91014db6c53499fafa39 mediawiki-1.9.0.tar.gz
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFpVY9wRnhpk1wk44RAuaLAKDZMiz0XUxIEUdbB6/b90ETuPDKZgCcDM50
N2xH6gBQ5AW5ncvhvRRitGk=
=Uomr
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've made a snapshot release candidate from 1.9 branch; this is a chance
to get a few more possible installation/upgrade regressions tested and
fixed.
A more widely announced 'final' 1.9.0 release will come after another
day or two.
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC1/phase3/RELEASE-…
Download from:
http://sourceforge.net/project/showfiles.php?group_id=34373&package_id=93103
MD5 checksum: 55eb83d15a95db85ed002aace93a18d9
SHA-1 checksum: 1ee7d5ddc5b356288f7bdaa9b5800cb89a461216
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFov17wRnhpk1wk44RAm0NAJ9cCdwCyI05uxYzub91uU19NYEu8ACfWSsB
1vXMvKj5Q3Hhb6h0gLphWWA=
=fhhJ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
October 10, 2006
This is the quarterly release snapshot for Fall 2006. While the code
has been running on Wikipedia for some time, installation and upgrade
bits may be less well tested. Bug fix releases may follow in the coming
days or weeks.
MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.
Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development happen
will be made on the development trunk and appear in the next quarterly release.
Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
== Configuration changes ==
* $wgUseETag, to enable/disable sending of HTTP ETag headers
(default: disabled)
* $wgLegalTitleChars now includes '+' by default for better compatibility
with importing data dumps from Wikipedia
* $wgDefaultUserOptions now includes all default option settings instead
of only overrides.
== Major new features ==
* (bug 7098) Add an option to disable/enable sending of HTTP ETag headers,
as it seems to result in broken behaviour in combination with Squid 2.6
(disabled by default).
* (bug 550) Allow blocks on anonymous users only.
* (bug 6420) Render thumbnails for DJVU images, support multipage DJVU display
on image pages. Added new 'page=' thumbnail option to select a page from a
multipage djvu for thumbnail generation.
* Full Postgres support is now enabled. It requires version 8.1 or better, and
needs to have both plpgsql and tsearch2 already installed.
* (bug 6386) fix grammatical errors in danish naming of talk namespaces.
Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_8_0/phase3/RELEASE-NOTEShttp://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_8_0/phase3/HISTORY
Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.8.0.tar.gz
MD5 checksum:
9141eba6b8faf17fe80edeb7699cfca4 mediawiki-1.8.0.tar.gz
SHA-1 checksum:
28084a2a1c307e558fa5e99975d3a3dbee2e9586 mediawiki-1.8.0.tar.gz
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Help:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFLCV1wRnhpk1wk44RAoUcAJ9cGr304axlxgLLUWMwwfd4K8tR/ACgj12i
K8n5h25gWOLReeSsjdzBPlg=
=ceUE
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.7.1 is a security and bugfix maintenance release of the
Summer 2006 snapshot:
A potential HTML/JavaScript-injection vulnerability in a debugging script
has been fixed. Only versions and configurations of PHP vulnerable to the
$GLOBALS overwrite vulnerability are affected.
As a workaround for existing installs, profileinfo.php may simply be deleted
if it's not being used.
* Fix for 'emailconfirmed' implicit user group
* Fix for upgrades on some versions of MySQL 4.0.x
* Fixed potential XSS in profileinfo.php
* Installer now shows clear error message about old PHP versions
rather than a confusing parse error
Note that MediaWiki 1.7 and above require PHP 5. If you are stuck with PHP 4,
please install MediaWiki 1.6.8.
Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_7_1/phase3/RELEASE-NOTEShttp://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_7_1/phase3/HISTORY
Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.7.1.tar.gz
MD5 checksum:
50b74e2b5c86fb94c7201b72d2037662 mediawiki-1.7.1.tar.gz
SHA-1 checksum:
bdd685d4fe5d7b0d8e0ef2cf9a843bbab60d20ac mediawiki-1.7.1.tar.gz
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Help:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEsJ4DwRnhpk1wk44RAt5RAJ97vL8gs+I8kOPAJdWU4RYtL74ixgCdGqZm
KreZ2Yxl68GLGqjDC0sPwAI=
=G+v5
-----END PGP SIGNATURE-----