I would like to announce the release of MediaWiki 1.18.4. One security issue was discovered.
Both Chris Steipp and Formafix discovered that the uselang http parameter was vulnerable to XSS.
For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=36938
Chris Steipp also improved the blacklisting of bad elements in SVG files. This includes catching known hostile files, and also disallowing the upload of svg files that include remote resources.
This is work is part of an on-going effort to prevent exploits being hidden in uploaded SVG files.
Full release notes: https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE LEASE-NOTES-1.18;hb=1.18.4
https://www.mediawiki.org/wiki/Release_notes/1.18
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.tar.gz
Patch to previous version (1.18.3): http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.tar.gz.sig http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.4.patch.gz.sig
Public keys: https://secure.wikimedia.org/keys.html