-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I would like to announce the release of MediaWiki 1.16.1, which is a security and maintenance release.
Wikipedia user PleaseStand pointed out that MediaWiki has no protection against "clickjacking". With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki.
Our fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users need to use a browser which supports X-Frame-Options. For information about supported browsers, see:
https://developer.mozilla.org/en/the_x-frame-options_response_header
For more information about this vulnerability and the related patch, see:
https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
Other changes in MediaWiki 1.16.1:
* (bug 24981) Allow extensions to access SpecialUpload variables again * (bug 24724) list=allusers was out by 1 (shows total users - 1) * (bug 24166) Fixed API error when using rvprop=tags * For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload. * (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0) * (bug 25248) Fixed paraminfo errors in certain API modules. * The installer now has improved handling for situations where safe_mode is active or exec() and similar functions are disabled. * (bug 19593) Specifying --server in now works for all maintenance scripts. * Fixed $wgLicenseTerms register globals.
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NOT...
********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz
Patch to previous version (1.16.0), without interface text: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz
GPG signatures: http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz.sig http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz....
Public keys: https://secure.wikimedia.org/keys.html
mediawiki-announce@lists.wikimedia.org