headers
Tim Starling | 5 May 2011 07:52
Picon

MediaWiki security release 1.16.5


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.5. Two security
issues were discovered.

The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used on private
wikis to prevent users who have an account from logging in and viewing
content on the wiki.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28639

**********************************************************************
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 5 May 2011 14:39
Picon

MediaWiki 1.17 beta 1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.

Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.

MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

PHP 5.2.3
- ---------

We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check your PHP installation and contact
your host if it runs an outdated PHP version.

New installer
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 5 May 2011 07:52
Picon

MediaWiki security release 1.16.5


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.5. Two security
issues were discovered.

The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used on private
wikis to prevent users who have an account from logging in and viewing
content on the wiki.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28639

**********************************************************************
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Starling | 5 May 2011 14:39
Picon

MediaWiki 1.17 beta 1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.

Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.

MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

PHP 5.2.3
- ---------

We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check your PHP installation and contact
your host if it runs an outdated PHP version.

New installer
(Continue reading)

Permalink | Reply | 0 comments |

Gmane