-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
MediaWiki 1.3.11 is a security release.
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki 1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially ~ abusable for JavaScript injection. This has been corrected. * Additional checks added to file upload to protect against MSIE and ~ Safari MIME-type autodetection bugs.
As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled by default as a general precaution. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
An attacker could use JavaScript-submitted forms to perform various restricted actions by tricking an authenticated user into visiting a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the additional fields.
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated administrator to delete arbitary files in directories writable by the web server, and confirm existence of files not deletable.
Release notes: http://sourceforge.net/project/shownotes.php?release_id=307067
Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.3.11.tar.gz?download
Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system: http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
mediawiki-l@lists.wikimedia.org