Brion Vibber | 24 Aug 00:59 2005
Picon

MediaWiki 1.3.14, 1.4.8, 1.5rc1 released [SECURITY]


MediaWiki 1.5rc1 is a preview release of the new 1.5 release series.
Numerous bug fixes since last beta, plus a security fix; see change
log in the release notes for full details.

A flaw in the interaction between extensions and HTML attribute
sanitization was discovered which could allow unauthorized use
of offsite resources in style sheets, and possible exploitation
of a JavaScript injection feature on Microsoft Internet Explorer.

This version expands the returned text and properly checks it
before output.

MediaWiki 1.4.8 is a bug fix and security maintenance release. It fixes
the above bug, plus an update to skins/MonoBook.php ensures that sites
using the default MonoBook skin will display correctly in the Internet
Explorer 7 beta. (1.3 and 1.5 are not affected by this display problem.)

MediaWiki 1.3.14 is a security maintenance release.

The 1.3.x series is no longer maintained except for security fixes;
new users and those seeking bug fixes should upgrade to 1.4.8 or 1.5rc1.
Existing 1.3.x installations not willing to upgrade to the current
stable relase should apply the change manually; details are in the
release notes.

If you are actively using extensions to generate HTML attribute values,
upgrade to 1.4 or 1.5 for a full fix; 1.3.14 simply disables any attempt
to use such.

(Continue reading)

Brion Vibber | 24 Aug 05:34 2005
Picon

MediaWiki 1.5rc2 released (package fix)


The MediaWiki 1.5rc1 release package was mistakenly built from the
development source tree rather than the 1.5 release source tree.

If you find yourself with a site claiming to be "1.6alpha" at
Special:Version, you might be slightly more avant garde than you had
intended. :)

A corrected 1.5rc2 package from the 1.5 release branch has been uploaded.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=351309

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc2.tar.gz?download

MD5 checksums:
mediawiki-1.5rc2.tar.gz   d3855d011ad3e860d98e2e9ae5178cbd

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikimedia.org/
(Continue reading)

Brion Vibber | 25 Aug 08:19 2005
Picon

MediaWiki 1.5rc3 released [SECURITY]


MediaWiki 1.5rc3 is a preview release of the new 1.5 release series.
It fixes several major problems in 1.5rc2:

* Fixed a cross-site scripting injection in the search form
~  (broken since 1.5beta1)

* Fixed upgrades from 1.4 database schema
~  (broken since 1.5rc2)

1.3 and 1.4 releases are not vulnerable to the XSS bug, but anyone
running an earlier 1.5 beta or release candidate should upgrade
immediately.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=351567

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc3.tar.gz?download

MD5 checksum:
mediawiki-1.5rc3.tar.gz   fd051830057a1b5e7ea7032933a9cd6c

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
(Continue reading)

Brion Vibber | 30 Aug 02:36 2005
Picon

MediaWiki 1.5rc4, 1.4.9, 1.3.15 released [SECURITY]


These are security and maintenance releases, which fix two cross-site
scripting bugs. All internet-facing wikis are recommended to upgrade to
the current release in their series.

Incorrect handling of <math> tags when TeX rendering is disabled, as in
the default configuration. (Wikis where the optional math support has
been *enabled* are not vulnerable.)

* 1.5 vulnerable: <= 1.5rc3  fixed: >= 1.5rc4
* 1.4 vulnerable: <= 1.4.8   fixed: >= 1.4.9
* 1.3 vulnerable: <= 1.3.14  fixed: >= 1.3.15

Incorrect handling of <nowiki> and extension tags in table styles:

* 1.5 vulnerable: <= 1.5rc3  fixed: >= 1.5rc4
* 1.4 vulnerable: <= 1.4.8   fixed: >= 1.4.9
* 1.3 not vulnerable

Additionally, 1.5rc4 fixes some compatibility issues with PHP 5.1 beta.

Release notes:
1.5rc4 http://sourceforge.net/project/shownotes.php?release_id=352778
1.4.9  http://sourceforge.net/project/shownotes.php?release_id=352777
1.3.15 http://sourceforge.net/project/shownotes.php?release_id=352776

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc4.tar.gz?download
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.9.tar.gz?download
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.15.tar.gz?download
(Continue reading)

Brion Vibber | 24 Aug 00:59 2005
Picon

MediaWiki 1.3.14, 1.4.8, 1.5rc1 released [SECURITY]


MediaWiki 1.5rc1 is a preview release of the new 1.5 release series.
Numerous bug fixes since last beta, plus a security fix; see change
log in the release notes for full details.

A flaw in the interaction between extensions and HTML attribute
sanitization was discovered which could allow unauthorized use
of offsite resources in style sheets, and possible exploitation
of a JavaScript injection feature on Microsoft Internet Explorer.

This version expands the returned text and properly checks it
before output.

MediaWiki 1.4.8 is a bug fix and security maintenance release. It fixes
the above bug, plus an update to skins/MonoBook.php ensures that sites
using the default MonoBook skin will display correctly in the Internet
Explorer 7 beta. (1.3 and 1.5 are not affected by this display problem.)

MediaWiki 1.3.14 is a security maintenance release.

The 1.3.x series is no longer maintained except for security fixes;
new users and those seeking bug fixes should upgrade to 1.4.8 or 1.5rc1.
Existing 1.3.x installations not willing to upgrade to the current
stable relase should apply the change manually; details are in the
release notes.

If you are actively using extensions to generate HTML attribute values,
upgrade to 1.4 or 1.5 for a full fix; 1.3.14 simply disables any attempt
to use such.

(Continue reading)

Brion Vibber | 24 Aug 05:34 2005
Picon

MediaWiki 1.5rc2 released (package fix)


The MediaWiki 1.5rc1 release package was mistakenly built from the
development source tree rather than the 1.5 release source tree.

If you find yourself with a site claiming to be "1.6alpha" at
Special:Version, you might be slightly more avant garde than you had
intended. :)

A corrected 1.5rc2 package from the 1.5 release branch has been uploaded.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=351309

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc2.tar.gz?download

MD5 checksums:
mediawiki-1.5rc2.tar.gz   d3855d011ad3e860d98e2e9ae5178cbd

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikimedia.org/
(Continue reading)

Brion Vibber | 25 Aug 08:19 2005
Picon

MediaWiki 1.5rc3 released [SECURITY]


MediaWiki 1.5rc3 is a preview release of the new 1.5 release series.
It fixes several major problems in 1.5rc2:

* Fixed a cross-site scripting injection in the search form
~  (broken since 1.5beta1)

* Fixed upgrades from 1.4 database schema
~  (broken since 1.5rc2)

1.3 and 1.4 releases are not vulnerable to the XSS bug, but anyone
running an earlier 1.5 beta or release candidate should upgrade
immediately.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=351567

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc3.tar.gz?download

MD5 checksum:
mediawiki-1.5rc3.tar.gz   fd051830057a1b5e7ea7032933a9cd6c

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
(Continue reading)

Brion Vibber | 30 Aug 02:36 2005
Picon

MediaWiki 1.5rc4, 1.4.9, 1.3.15 released [SECURITY]


These are security and maintenance releases, which fix two cross-site
scripting bugs. All internet-facing wikis are recommended to upgrade to
the current release in their series.

Incorrect handling of <math> tags when TeX rendering is disabled, as in
the default configuration. (Wikis where the optional math support has
been *enabled* are not vulnerable.)

* 1.5 vulnerable: <= 1.5rc3  fixed: >= 1.5rc4
* 1.4 vulnerable: <= 1.4.8   fixed: >= 1.4.9
* 1.3 vulnerable: <= 1.3.14  fixed: >= 1.3.15

Incorrect handling of <nowiki> and extension tags in table styles:

* 1.5 vulnerable: <= 1.5rc3  fixed: >= 1.5rc4
* 1.4 vulnerable: <= 1.4.8   fixed: >= 1.4.9
* 1.3 not vulnerable

Additionally, 1.5rc4 fixes some compatibility issues with PHP 5.1 beta.

Release notes:
1.5rc4 http://sourceforge.net/project/shownotes.php?release_id=352778
1.4.9  http://sourceforge.net/project/shownotes.php?release_id=352777
1.3.15 http://sourceforge.net/project/shownotes.php?release_id=352776

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5rc4.tar.gz?download
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.9.tar.gz?download
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.15.tar.gz?download
(Continue reading)


Gmane