-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
An XSS injection vulnerability was located in the AJAX support module, affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.
There is no danger in the default configuration, with $wgUseAjax off.
If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.0rc2 * 1.8: fixed in 1.8.3 * 1.7: fixed in 1.7.2 * 1.6: fixed in 1.6.9
Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-N... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTE... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTE... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTE...
Download: http://sourceforge.net/project/showfiles.php?group_id=34373
MD5 checksums: 747d79037d3b90494d7e8b956a6bb9a0 mediawiki-1.9.0rc2.tar.gz 9ef825abfcf0888b22571bbb097480f0 mediawiki-1.8.3.tar.gz ef33231cb1689dc813f4b08e955f4b18 mediawiki-1.7.2.tar.gz 1ce42061b5f7ea6e4101826b969d2ee4 mediawiki-1.6.9.tar.gz
SHA-1 checksums: 1451e8a8a10f41e517c12ede266dd1a5a743d8fe mediawiki-1.9.0rc2.tar.gz fa4daa4376b80f61be5925e6172daa76938d9bad mediawiki-1.8.3.tar.gz f63468ce745bbda6d42f66fc64c713b4fd000ef2 mediawiki-1.7.2.tar.gz a00bcc6b306a92234da0c2cd3d564869a15045a0 mediawiki-1.6.9.tar.gz
Before asking for help, try the FAQ: http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list: (Please subscribe to receive announcements of security updates.) http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list: http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system: http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
wikitech-l@lists.wikimedia.org