headers
Brion Vibber | 5 Feb 2007 00:44
Picon
Favicon
Gravatar

MediaWiki 1.9.2 released


This is a bug-fix update that fixes some installation and other minor
issues with the 1.9.1 release as well as a security issue which was
introduced in the 1.9 branch.

JavaScript code which regenerated the "sortable tables" feature did
not properly sanitize input, leading to an HTML injection vulnerability.

* (bug 8774) Fix path for GNU FDL rights icon on new installs
* (bug 8819) Fix full path disclosure with skins dependencies
* (bug 4268) Fixed data-loss bug in compressOld batch text compression
  affecting pages which had null edits (move, protect, etc) as second
  edit in a batch group. Isolated and patched by Travis Derouin.
* Security fix for sortable tables JavaScript

All users of 1.9.x should upgrade.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_2/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.2.tar.gz
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.2.patch

MD5 checksums:
c11aa0fd7ac10529606511913649a411  mediawiki-1.9.2.tar.gz
b08777601899686bf4e672766ee5e49e  mediawiki-1.9.2.patch

SHA-1 checksums:
2f63cba903444b0dc6559df29c57d1789c1284d1 mediawiki-1.9.2.tar.gz
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 21 Feb 2007 03:49
Picon
Favicon
Gravatar

MediaWiki 1.9.3, 1.8.4, 1.7.3, 1.6.10 released


February 20, 2007

MediaWiki 1.9.3 is a security and bug-fix update to the Winter 2007
quarterly release. Minor compatibility fixes for IIS and PostgreSQL are
included.

An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
* (bug 8984) Fix a database error in Special:Recentchangeslinked
  when using the PostgreSQL database.
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
  'text/html' by default when the script didn't specify more details,
  which some inconsiderate browsers consider a license to autodetect
  the deadly, hard-to-escape UTF-7.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 5 Feb 2007 00:44
Picon
Favicon
Gravatar

MediaWiki 1.9.2 released


This is a bug-fix update that fixes some installation and other minor
issues with the 1.9.1 release as well as a security issue which was
introduced in the 1.9 branch.

JavaScript code which regenerated the "sortable tables" feature did
not properly sanitize input, leading to an HTML injection vulnerability.

* (bug 8774) Fix path for GNU FDL rights icon on new installs
* (bug 8819) Fix full path disclosure with skins dependencies
* (bug 4268) Fixed data-loss bug in compressOld batch text compression
  affecting pages which had null edits (move, protect, etc) as second
  edit in a batch group. Isolated and patched by Travis Derouin.
* Security fix for sortable tables JavaScript

All users of 1.9.x should upgrade.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_2/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.2.tar.gz
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.2.patch

MD5 checksums:
c11aa0fd7ac10529606511913649a411  mediawiki-1.9.2.tar.gz
b08777601899686bf4e672766ee5e49e  mediawiki-1.9.2.patch

SHA-1 checksums:
2f63cba903444b0dc6559df29c57d1789c1284d1 mediawiki-1.9.2.tar.gz
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brion Vibber | 21 Feb 2007 03:49
Picon
Favicon
Gravatar

MediaWiki 1.9.3, 1.8.4, 1.7.3, 1.6.10 released


February 20, 2007

MediaWiki 1.9.3 is a security and bug-fix update to the Winter 2007
quarterly release. Minor compatibility fixes for IIS and PostgreSQL are
included.

An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
* (bug 8984) Fix a database error in Special:Recentchangeslinked
  when using the PostgreSQL database.
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
  'text/html' by default when the script didn't specify more details,
  which some inconsiderate browsers consider a license to autodetect
  the deadly, hard-to-escape UTF-7.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane