Brion Vibber | 24 Jan 01:59 2008
Picon

MediaWiki 1.11.1, 1.10.3, 1.9.5 released


This is a security and bugfix release of the Fall, Spring, and Winter
2007 snapshot releases of MediaWiki. A potential XSS injection vector
affecting api.php only for Microsoft Internet Explorer users has been
closed.

To work around the vulnerability without upgrading, you may disable the
API if you don't need it:

~  $wgEnableAPI = false;

Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include
the API functionality, however the BotQuery extension is similarly
vulnerable unless updated to the latest SVN version.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_1/phase3/RELEASE-NOTES
(Continue reading)

Brion Vibber | 24 Jan 01:59 2008
Picon

MediaWiki 1.11.1, 1.10.3, 1.9.5 released


This is a security and bugfix release of the Fall, Spring, and Winter
2007 snapshot releases of MediaWiki. A potential XSS injection vector
affecting api.php only for Microsoft Internet Explorer users has been
closed.

To work around the vulnerability without upgrading, you may disable the
API if you don't need it:

~  $wgEnableAPI = false;

Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include
the API functionality, however the BotQuery extension is similarly
vulnerable unless updated to the latest SVN version.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_1/phase3/RELEASE-NOTES
(Continue reading)


Gmane