MediaWiki 1.4.5 is a security update and bugfix release.
Incorrect handling of page template inclusions made it possible to inject JavaScript code into HTML attributes, which could lead to cross-site scripting attacks on a publicly editable wiki.
Vulnerable releases and fix: * 1.5 prerelease: fixed in 1.5alpha2 * 1.4 stable series: fixed in 1.4.5 * 1.3 legacy series: fixed in 1.3.13 * 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
This release also includes a number of bug fixes (see changelog below) and merges some large-server load balancing patches from Wikipedia.
An experimental rate limiter for page edits and moves can be enabled with global, per-IP, per-subnet, or per-user bases. See configuration options in includes/DefaultSettings.php
=== Changes since 1.4.4 ===
* Fix for reading incorrectly re-gzipped HistoryBlob entries * Generalize project namespace for Latin localization, update namespaces * (bug 2075) Corrected namespace definitions in Tamil localization * (bug 1692) Fix margin on unwatch tab * Avoid overwriting shared image metadata cache with bogus encoding conversions * Fix reporting of minor edits in Special:Export output * (bug 2150) Fix tab indexes on edit form * Run ArticleSave hooks on image upload. * (bug 2239) Fix non-ASCII chars in linktrail for Latin-1 mode * (bug 1454) Backport edit/move rate limiter from CVS HEAD (experimental) * (bug 1929) Fix documentation comment for $wgWhitelistRead * (bug 1975) The name for Limburgish (li) changed from "Lèmburgs" to "Limburgs" * (bug 2019) Wrapped the output of Special:Version in <div dir='ltr'> in order to preserve the correct flow of text on RTL wikis. * (bug 2084) Fixed a regular expression in includes/Title.php that was accepting invalid syntax like #REDIRECT [[foo] in redirects * (bug 2087) Fixed a bug in special page handling which which stopped "0" from * (bug 2094) Multiple use of a template produced wrong results in some cases being passed to all special pages Special:Page/0 syntax. * Fixed a bug in Special:Allpages, Special:Contributions, Special:Whatlinkshere, Special:Recentchangeslinked and Special:Emailuser, they all mishandled being passed "0" with the Special:Page/0 syntax (unrelated to bug 2087), this either required a workaround in the form of passing "0" as a GET value or blocked the user from passing that value at all. * Fixed a bug in Special:Newimages that made it impossible to search for '0' * (bug 2217) Negative ISO years were incorrectly converted to BC notation. * (bug 2267) Don't generate thumbnail at the same size as the source image. * Disable fulltext image name search in Special:Imagelist during MiserMode. * Fix sorting of profiling output in debug log: largest last for easy tailing * (bug 2281) Fix regression with page moves taking the wrong talk pages * Regression fix: watchlist day cutoff * (bug 2173) Fatal error when removing an article with an empty title from the watchlist * (bug 2034) Armor HTML attributes against template inclusion and links munging
Release notes: http://sourceforge.net/project/shownotes.php?release_id=332231
Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.4.5.tar.gz?download
Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ
Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system: http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
-- brion vibber (brion @ pobox.com)