[MediaWiki-announce] MediaWiki security update: 1.15.1 and 1.14.1

Tim Starling tstarling at wikimedia.org
Mon Jul 13 18:51:55 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1.

A cross-site scripting (XSS) vulnerability was discovered in
[[Special:Block]]. Only versions 1.14.0, 1.15.0 and release candidates
for those releases are affected.

Cross-site scripting vulnerabilities allow an unprivileged attacker to
gain administrator access to the wiki by tricking an administrator
into viewing a page which emits a malicious script. The malicious
script may also be able to gain privileged access to other
applications on the same domain.

Other changes in these releases:

1.15.1:
* Fixed fatal errors for unusual file repository configurations, such
as ForeignAPIRepo.
* Fixed the "change password" link on Special:Preferences to have the
correct returnto parameter.

1.14.1:
* (bug 17737) Fixed russian URLs for Special:BookSources
* (bug 17713) Using links with only an anchor no longer add an dummy
entry in the pagelinks table
* (bug 17897) Fixed string offset error in <pre> tags
* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
'permissiondenied' when the user is blocked
* Fixed performance regression when accessing deleted (archived) files

Upgrade FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading


**********************************************************************
  1.14.1
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.tar.gz

Patch to previous version (1.14.0), without interface text:
http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.14/mediawiki-i18n-1.14.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.14/mediawiki-1.14.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.14/mediawiki-i18n-1.14.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
  1.15.1
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.tar.gz

Patch to previous version (1.15.0):
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpbgkoACgkQdWgrCOij/sRAOgCgwk2XTXrxMkRrxsxNsAZj2EGK
CC0AoJ78EAOW0rGxs+K1NjFO59XfS1RS
=ZcRE
-----END PGP SIGNATURE-----



More information about the MediaWiki-announce mailing list