[Mediawiki-l] MediaWiki 1.3.13 released [SECURITY]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MediaWiki 1.3.13 is a security maintenance release. Incorrect handling of page template inclusions made it possible to inject JavaScript code into HTML attributes, which could lead to cross-site scripting attacks on a publicly editable wiki. Vulnerable releases and fix: * 1.5 prerelease: fixed in 1.5alpha2 * 1.4 stable series: fixed in 1.4.5 * 1.3 legacy series: fixed in 1.3.13 * 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended The 1.3.x series is no longer maintained except for security fixes; new users and those seeking general bug fixes should install 1.4.5. Existing 1.3.x installations not willing or able to upgrade to the current stable relase should update the installation to 1.3.13; only includes/Parser.php has changed from 1.3.12. Release notes: http://sourceforge.net/project/shownotes.php?release_id=332230 Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.3.13.tar.gz?download Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l Bug report system: http://bugzilla.wikipedia.org/ Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net - -- brion vibber (brion @ pobox.com)