[MediaWiki-announce] MediaWiki 1.13.2, 1.12.1 security update

Tim Starling tstarling at wikimedia.org
Thu Oct 2 16:03:25 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.12 and MediaWiki
1.13. A vulnerability has been discovered which allows arbitrary HTML
injection and thus possible user account compromise. The vulnerability
is only present when $wgUseSiteCss is turned on, which is the
default.  Versions 1.11 and earlier are NOT vulnerable, nor is
development branch later than July 28, 2008.

Also, there was the potential for a subtle user error while editing
$wgGroupPermissions in LocalSettings.php to cause all restrictions to
be disabled. This has been rectified.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_13_2/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_12_1/phase3/RELEASE-NOTES

See below for downloads.


**********************************************************************
    MEDIAWIKI   1.13.2
**********************************************************************

Download:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.2.tar.gz

Patch to previous version (1.13.1), without interface text:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.13/mediawiki-1.13.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.13/mediawiki-i18n-1.13.2.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

SHA-1 checksums:
b05bc48d3d0959f2954c0f1f8a17c2d28bbf2f30  mediawiki-1.13.2.tar.gz
a0c49a51190c129fc47d226352cb4fa720151921  mediawiki-1.13.2.patch.gz
837c7d26e9957ee4e8cd952777809cb8dbe2aea8  mediawiki-i18n-1.13.2.patch.gz

MD5 checksums:
74f1877802b663ade2b25ae9e35eef94  mediawiki-1.13.2.tar.gz
f3fb6f268f82b9a2287a64d739cdf76f  mediawiki-1.13.2.patch.gz
c9593580018eb54f5bd5cf6b1f88331e  mediawiki-i18n-1.13.2.patch.gz


**********************************************************************
    MEDIAWIKI   1.12.1
**********************************************************************

Download:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.1.tar.gz

Patch to previous version (1.12.0), without interface text:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.12/mediawiki-1.12.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.12/mediawiki-i18n-1.12.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

SHA-1 checksums:
652e4de6be737d26938041e406fb523713104724  mediawiki-1.12.1.tar.gz
402dd9161bd8d12871210aacc5080a9c775b44b4  mediawiki-1.12.1.patch.gz
1cd7f13cfa1d33ba38fdbd5ba390b78b742cad78  mediawiki-i18n-1.12.1.patch.gz

MD5 checksums:
032cce49559e406ce8890608484cc610  mediawiki-1.12.1.tar.gz
c35ab55de943287bb9d81bd2f47e65a7  mediawiki-1.12.1.patch.gz
e674e4f3e096a14c56273d715d895be5  mediawiki-i18n-1.12.1.patch.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI5PDMdWgrCOij/sQRArC8AJ9DWwmViFF645RJmSJww6EWlmVhVQCgq3vz
3GLLAXxRjUw3lJiTJzxWf7U=
=F/Zo
-----END PGP SIGNATURE-----




More information about the MediaWiki-announce mailing list