-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
MediaWiki 1.11.2 is a security release of the Fall 2007 snapshot release of MediaWiki. Possible cross-site information leaks using the callback parameter for JSON-formatted results in the API are prevented by dropping user credentials.
MediaWiki release versions prior to 1.11 are not vulnerable, as they do not include the callback feature which allows client-side JavaScript on other sites to reach API data.
Changes in this release:
* User credentials are dropped for API JSON requests using a callback * Edit tokens are not reported for API JSON requests using a callback
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_2/phase3/RELEASE-NOT...
Download: http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch
GPG signatures: http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz.sig http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch.sig
SHA-1 checksums: c5d5e99d73e646cff421b3bb92dd638fb93cd575 mediawiki-1.11.2.tar.gz ce13da8071c4618deda28cf6e8c2eea110d258ef mediawiki-1.11.2.patch
MD-5 checksums: MD5 (mediawiki-1.11.2.tar.gz) = 12e81f27a37b15b9d1ed110d6f48b35f MD5 (mediawiki-1.11.2.patch) = 7cac126c2bdda3b32160da8faab246b4
Before asking for help, try the FAQ: http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list: (Please subscribe to receive announcements of security updates.) http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list: http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system: http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
- -- brion vibber (brion @ wikimedia.org)
mediawiki-l@lists.wikimedia.org