MediaWiki 1.3.9 is a security and bug fix release.
A flaw in upload handling has been found which may allow upload and execution of arbitrary scripts with the permissions of the web server. Only wikis that have enabled uploads and have a vulnerable Apache configuration will be affected, but to be safe all wikis should upgrade.
Wikis with uploads available should either disable uploads or upgrade to 1.3.9 immediately; if other files are customized and require merging changes, includes/SpecialUpload.php may be replaced individually to add the fix.
(It is also recommended to configure your web server to disable script execution in the 'images' subdirectory where uploads are placed, which prevents most attacks even if the wiki fails.)
Changes from 1.3.8: * Backported "Templates used in this page"-feature of EditPage * Allow "MySkin" as a default skin. * (bug 938) Parse namespaces correctly on self-interwiki links * (bug 1010) fix broken Commons image link on Classic & Cologne Blue * (bug 1004) Norsk language names for interwiki links changed, Nauruan language name changed * Fix upload extension blacklist to protect against vulnerable Apache configurations
Release notes: http://sourceforge.net/project/shownotes.php?release_id=289468
Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.3.9.tar.gz?download
Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Bug report system: http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)