Tim Starling | 9 Mar 00:49 2010
Picon

MediaWiki security update: 1.15.2


This is a security and bugfix release of MediaWiki 1.15.2.

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.

MediaWiki is not compatible with PHP 5.3.1 due to a bug in that
release, which is fixed in PHP 5.3.2. This release of MediaWiki will
refuse to upgrade if an affected version of PHP is present. Note that
local or distribution-specific backports of the PHP bug fix are
supported. See http://bugs.php.net/50394 for details.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES
(Continue reading)

Tim Starling | 13 Mar 02:01 2010
Picon

MediaWiki 1.16.0beta1 now available


The first beta release of the 1.16 branch is now available for
download. Please try it and tell us if it works for you. This beta
release is not recommended for use in a production environment.

Selected changes since MediaWiki 1.15 that may be of interest:

* Watchlists now have RSS/Atom feeds. RSS feeds generally are now
hidden, since Atom is a better protocol and is supported by virtually
all clients.

* It's now possible to block users from sending email via
Special:Emailuser.

* The maintenance script system was overhauled. Most maintenance
scripts now have a useful help page when you run them with --help.

* AdminSettings.php is no longer required in order to run maintenance
scripts. You can just set $wgDBadminuser and $wgDBadminpassword in
your LocalSettings.php instead.

* The preferences system was overhauled. Preferences are stored in a
more compact format. Changes to site default preferences will
automatically affect all users who have not chosen a different preference.

* Support for SQLite was improved. Some broken features were fixed,
and it now has an efficient full-text search.

* The user groups ACL system was improved by allowing rights to be
revoked, instead of just granted.
(Continue reading)

Tim Starling | 9 Mar 00:49 2010
Picon

MediaWiki security update: 1.15.2


This is a security and bugfix release of MediaWiki 1.15.2.

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display
external images in wiki pages. This is a privacy concern on public
wikis, since a malicious user may link to an image on a server they
control, which would allow that attacker to gather IP addresses and
other information from users of the public wiki. All sites running
publicly-editable MediaWiki installations are advised to upgrade. All
versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects
wikis which restrict access to private files using img_auth.php, or
some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do
not use $wgThumbnailScriptPath or $wgLocalRepo['thumbScriptUrl'].
Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the
patch below to whatever version of MediaWiki you are using.

MediaWiki is not compatible with PHP 5.3.1 due to a bug in that
release, which is fixed in PHP 5.3.2. This release of MediaWiki will
refuse to upgrade if an affected version of PHP is present. Note that
local or distribution-specific backports of the PHP bug fix are
supported. See http://bugs.php.net/50394 for details.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES
(Continue reading)

Tim Starling | 13 Mar 02:01 2010
Picon

MediaWiki 1.16.0beta1 now available


The first beta release of the 1.16 branch is now available for
download. Please try it and tell us if it works for you. This beta
release is not recommended for use in a production environment.

Selected changes since MediaWiki 1.15 that may be of interest:

* Watchlists now have RSS/Atom feeds. RSS feeds generally are now
hidden, since Atom is a better protocol and is supported by virtually
all clients.

* It's now possible to block users from sending email via
Special:Emailuser.

* The maintenance script system was overhauled. Most maintenance
scripts now have a useful help page when you run them with --help.

* AdminSettings.php is no longer required in order to run maintenance
scripts. You can just set $wgDBadminuser and $wgDBadminpassword in
your LocalSettings.php instead.

* The preferences system was overhauled. Preferences are stored in a
more compact format. Changes to site default preferences will
automatically affect all users who have not chosen a different preference.

* Support for SQLite was improved. Some broken features were fixed,
and it now has an efficient full-text search.

* The user groups ACL system was improved by allowing rights to be
revoked, instead of just granted.
(Continue reading)


Gmane