-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MediaWiki 1.4rc1 is a security and bug fix release for the 1.4 beta series.

== Important security updates ==

A security audit found and fixed a number of problems. Users of MediaWiki 1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases should upgrade to 1.4rc1.

=== Cross-site scripting vulnerability ===

XSS injection points can be used to hijack session and authentication cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially ~ abusable for JavaScript injection. This has been corrected. * Additional checks added to file upload to protect against MSIE and ~ Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled by default as a general precaution. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.

=== Cross-site request forgery ===

An attacker could use JavaScript-submitted forms to perform various restricted actions by tricking an authenticated user into visiting a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the additional fields.

=== Directory traversal ===

An unchecked parameter in image deletion could allow an authenticated administrator to delete arbitary files in directories writable by the web server, and confirm existence of files not deletable.

== Changes since 1.4beta6 ==

* Fix notice error on nonexistent template in wikitext system message * (bug 1469) add missing <ul> tags on Special:Log * (bug 1470) remove extra <ul> tags from Danish log messages * Fix notice on purge w/ squid mode off * (bug 1477) hide details of SQL error messages by default ~ Set $wgShowSQLErrors = true for debugging. * (bug 1430) Don't check for template data when editing page that doesn't exist * Recentchanges table purging fixed when using table prefix * (bug 1431) Avoid redundant objectcache garbage collection * (bug 1474) Switch to better-cached index for statistics page count * Run Unicode normalization on all input fields * Fix translation for allpagesformtext2 in LanguageZh_cn and LanguageZh_tw * Block image revert without valid login * (bug 1446) stub Bambara (bm) language file using French messages * (bug 1432) Update Estonian localization * (bug 1471) unclosed <p> tag in Danish messages * convertLinks script fixes * Corrections to template loop detection * XHTML encoding fix for usernames containing & in Special:Emailuser * (for zh) Search for variant links even when conversion is turned off, ~ to help prevent duplicate articles. * Disallow ISO 8859-1 C1 characters and "no-break space" in user names ~ on Latin-1 wikis. * Correct the name of the main page it LanguageIt * Allow Special:Makesysop to work for usernames containing SQL special ~ characters. * Fix annoying blue line in Safari on scaled-down images on description page * Increase upload sanity checks * Fix XSS bug in Media: links * Add cross-site form submission protection to various actions * Fix fatal error on some dubious page titles * Stub threshold displays correctly again

Release notes: http://sourceforge.net/project/shownotes.php?release_id=307068

Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.4rc1.tar.gz?download

Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system: http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)