-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MediaWiki 1.3.10 is a security release.

In earlier 1.3.x releases an attacker could craft a URL which, when visited by a particular logged-in user, would execute arbitrary JavaScript code on the user's browser in the wiki's site context. This attack has been blocked, and as an extra precaution the user CSS and JavaScript subpage support is now disabled by default. Sites which want this ability may set $wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.

Additional protections have been added against off-site form submissions hijacking user credentials. Authors of bot tools may need to update their code to include additional fields.

All wikis running 1.3.x are strongly urged to upgrade to 1.3.10.

=== Changes from 1.3.9 ===

* Logged-in edits and preview of user CSS/JS are now locked to a session token.

* Per-user CSS and JavaScript subpage customizations now disabled by default. They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.

* Removed .ogg from the default uploads whitelist as an extra precaution. If your web server is configured to serve Ogg files with the correct Content-Type header, you can re-add it in LocalSettings.php: ~ $wgFileExtensions[] = 'ogg';

Release notes: http://sourceforge.net/project/shownotes.php?release_id=302313

Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.3.10.tar.gz?download

Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system: http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)