-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.3.11 is a security release.
== Important security updates ==
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
should upgrade to 1.4rc1.
=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially
~ abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
~ Safari MIME-type autodetection bugs.
As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.
=== Cross-site request forgery ===
An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.
Authors of bot tools may need to update their code to include the
additional fields.
=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=307067
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.11.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on
irc.freenode.net
- -- brion vibber (brion @
pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org
iD8DBQFCGYHOwRnhpk1wk44RAhlzAKDSk3J8cRhBxD/arNc84uaLqeKAtgCfcJ2m
VRX58OZ0qf0b1dqhmfMFFe4=
=oYqv
-----END PGP SIGNATURE-----