-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

MediaWiki 1.4.2 is a security and bug fix release for the 1.4 stable release series.

A cross-site scripting injection vulnerability was discovered, which affects only MSIE clients and is only open if MediaWiki has been manually configured to run output through HTML Tidy ($wgUseTidy).

Several other bugs are fixed in this release.

All new installations are highly recommended to use 1.4.2 instead of 1.3.x; existing 1.3.x users should consider upgrading for bug fixes and new features. A 1.3.12 maintenance release is available with the Tidy fix; the relevant change is in includes/Parser.php.

=== Changes from 1.4.1 to 1.4.2 ===

* Fix math options in Finnish localization * Use in-process Tidy extension if available when $wgUseTidy is on * (bug 1933) Fix PATH_INFO usage under IIS with PHP ISAPI module * (bug 1188) <nowiki> in {{subst:}} includes fixed * (bug 1936) <!-- comments --> in {{subst:}} includes fixed * Fix a potential MSIE JavaScript injection vector in Tidy mode

Release notes for 1.4.2: http://sourceforge.net/project/shownotes.php?release_id=322146

Download: http://prdownloads.sf.net/wikipedia/mediawiki-1.4.2.tar.gz?download http://prdownloads.sf.net/wikipedia/mediawiki-1.3.12.tar.gz?download

Before asking for help, try the FAQ: http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list: http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system: http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC: #mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)