[MediaWiki-announce] MediaWiki 1.3.13 released [SECURITY]

Brion Vibber brion at pobox.com
Fri Jun 3 15:27:12 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MediaWiki 1.3.13 is a security maintenance release.

Incorrect handling of page template inclusions made it possible to
inject JavaScript code into HTML attributes, which could lead to
cross-site scripting attacks on a publicly editable wiki.

Vulnerable releases and fix:
* 1.5 prerelease: fixed in 1.5alpha2
* 1.4 stable series: fixed in 1.4.5
* 1.3 legacy series: fixed in 1.3.13
* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended

The 1.3.x series is no longer maintained except for security fixes;
new users and those seeking general bug fixes should install 1.4.5.
Existing 1.3.x installations not willing or able to upgrade to the
current stable relase should update the installation to 1.3.13; only
includes/Parser.php has changed from 1.3.12.


Release notes:
http://sourceforge.net/project/shownotes.php?release_id=332230

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.13.tar.gz?download

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCoHbQwRnhpk1wk44RArfFAJ924sPPqqy14sfDPOlVVF/zq3m9AwCfaTKY
/C1EiL5nXaEou/aJNTqsdI8=
=6HE3
-----END PGP SIGNATURE-----



More information about the MediaWiki-announce mailing list