[MediaWiki-announce] MediaWiki 1.11.2 released (security)
Brion Vibber
brion at wikimedia.org
Mon Mar 3 07:20:45 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.11.2 is a security release of the Fall 2007 snapshot release
of MediaWiki. Possible cross-site information leaks using the callback
parameter for JSON-formatted results in the API are prevented by
dropping user credentials.
MediaWiki release versions prior to 1.11 are not vulnerable, as they do
not include the callback feature which allows client-side JavaScript on
other sites to reach API data.
Changes in this release:
* User credentials are dropped for API JSON requests using a callback
* Edit tokens are not reported for API JSON requests using a callback
Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_2/phase3/RELEASE-NOTES
Download:
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch
GPG signatures:
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch.sig
SHA-1 checksums:
c5d5e99d73e646cff421b3bb92dd638fb93cd575 mediawiki-1.11.2.tar.gz
ce13da8071c4618deda28cf6e8c2eea110d258ef mediawiki-1.11.2.patch
MD-5 checksums:
MD5 (mediawiki-1.11.2.tar.gz) = 12e81f27a37b15b9d1ed110d6f48b35f
MD5 (mediawiki-1.11.2.patch) = 7cac126c2bdda3b32160da8faab246b4
Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ
Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkfLps0ACgkQwRnhpk1wk46ZLgCfa1/wygI6y3ncmGiLW/AUqFku
YWEAoMTCedybr2GHmz7zldVk894rg8wL
=s6Xl
-----END PGP SIGNATURE-----
More information about the MediaWiki-announce
mailing list