gmane.org.wikimedia.mediawiki.announce

MediaWiki 1.19.0 released

Sam Reed — 2012-05-02T14:31:31

I'm happy to announce the availability of the first stable release
of the new MediaWiki 1.19 release series.

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes in
this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the
beta
release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable

MediaWiki 1.19.0rc1

Sam Reed — 2012-04-26T15:25:48

I'm happy to announce the availability of the first release candidate
release of the new MediaWiki 1.19 release series.

Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.19.0.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of v

MediaWiki maintenance release 1.18.3

Sam Reed — 2012-04-26T15:25:43

I would like to announce the release of MediaWiki 1.18.3. This release
correct issues

from the 1.18.2 security release, and also some other bugs.

 

* (bug 35446) Using "{{nse:}}" with an invalid namespace name no longer
throws

  a PHP warning.

* (bug 35567) The whole password reminder e-mail is now sent in the same
language.

* (bug 35961) Hash comparison should always be strict.

* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php

  on line 598.

* Fix broken email confirmation expiration caused by MWCryptRand changes.

 

Full release notes:

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES-1.18;hb=REL1_18

https://www.mediawiki.org/wiki/Release_notes/1.18

 

 

**********************************************************************

Download:

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.tar.gz

 

Patch to previous version (1.18.2):

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.patch.gz

 

GPG signature

MediaWiki maintenance release 1.17.4

Sam Reed — 2012-04-26T15:25:39

I would like to announce the release of MediaWiki 1.17.4. This release
correct issues
from the 1.17.3 security release, and also some other bugs.

* (bug 35961) Hash comparison should always be strict.
* Fix broken email confirmation expiration caused by MWCryptRand changes.
* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php
  on line 598.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES;hb=REL1_17
https://www.mediawiki.org/wiki/Release_notes/1.17


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz

Patch to previous version (1.17.3):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______

MediaWiki 1.19.0beta2

Sam Reed — 2012-03-22T19:37:34

I'm happy to announce the availability of the second beta release of the
new MediaWiki 1.19 release series.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Five security issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the d

MediaWiki security and maintenance release1.17.3

Sam Reed — 2012-03-22T19:37:29

I would like to announce the release of MediaWiki 1.17.3. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as

MediaWiki security and maintenance release1.18.2

Sam Reed — 2012-03-22T19:37:32

I would like to announce the release of MediaWiki 1.18.2. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as

MediaWiki 1.19.0beta1

Sam Reed — 2012-03-07T19:09:27

I'm happy to announce the availability of the first beta release of the new
MediaWiki
1.19 release series.

Please try it out and let us know what you think. Don't run it on any wikis
that you really
care about, unless you are both very brave and very confident in your
MediaWiki
administration skills.

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a
summary of the major changes of interest to users. You can consult the
RELEASE-NOTES-1.19 file for the full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so in

MediaWiki security and maintenance release1.18.1

Sam Reed — 2012-01-11T21:50:26

I would like to announce the release of MediaWiki 1.18.1. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

1.18.1 is also the first maintenance release of the 1.18 series, bringing
numerous bug fixes
to MediaWiki for issues found in the 1.18.0 release.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_18_1/phase3/RELEASE-NOT
ES


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz

Patch to previous version (1.18.0), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.t

MediaWiki security release 1.17.2

Sam Reed — 2012-01-11T21:50:21

I would like to announce the release of MediaWiki 1.17.2. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_17_2/phase3/RELEASE-NOT
ES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz

Patch to previous version (1.17.1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.1

MediaWiki 1.17.0 released

Tim Starling — 2011-06-22T04:56:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are proud to announce the first stable release of the 1.17 series.

Selected changes since MediaWiki 1.16 that may be of interest:

* A new installer has been introduced. It has a wizard-style interface
  which is translated into many languages. Many shortcomings in the old
  installer were addressed with this rewrite. Note that it is no longer
  required for the config directory to be made writable by the webserver.
  Instead the generated LocalSettings.php file is offered as a download,
  which you must then upload to the wiki's base directory.

* ResourceLoader, a new framework for delivering client-side resources
  such as JavaScript and CSS, has been introduced. These resources are
  now delivered through the new entry point script "load.php", instead of
  as static files served directly by the web server. This allows
  minification, compression and client-side caching to be used more
  effectively, which should provide a net performance improvement for

MediaWiki release candidate 1.17.0rc1

Tim Starling — 2011-06-14T02:54:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A release candidate for the MediaWiki 1.17 branch is now available.
Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.17.0.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports. Many bugs have been
fixed, especially in the new installer.

Full release notes:
http://www.mediawiki.org/wiki/Release_notes/1.17

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz

Patch to previous version (1.17.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.0rc1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz.sig
http://download.wikimedia.or

MediaWiki 1.17 beta 1

Tim Starling — 2011-05-05T12:39:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.

Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.

MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

PHP 5.2.3
- ---------

We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check

MediaWiki security release 1.16.5

Tim Starling — 2011-05-05T05:52:11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.5. Two security
issues were discovered.

The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used

MediaWiki security release 1.16.4

Tim Starling — 2011-04-14T07:47:18

Our patch for the Internet Explorer 6 XSS issue (bug 28235) released
two days ago in 1.16.3 was insufficient to fix that bug. The original
reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we
are doing another release, which contains a second attempt at fixing
the issue.

Apologies to everyone for the inconvenience. Big thanks go to Masato
Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan
Kattouw who helped me test the patch this time around, so that we can
hopefully avoid a repeat.

It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for
Internet Explorer clients, version 6 and earlier. Also, if you used
the Apache configuration I suggested in the previous release
announcement, you should update it to:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
    RewriteRule . - [forbidden]


We missed the fact that there can be more than one question mark in a
URL. In certain circumstances, IE 6 will use a file extension
immediatel

MediaWiki security release 1.16.3

Tim Starling — 2011-04-12T03:23:28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.3, which is a
security release. Three security issues were discovered.

Masato Kinugawa discovered a cross-site scripting (XSS) issue, which
affects Internet Explorer clients only, and only version 6 and
earlier. Web server configuration changes are required to fix this
issue. Upgrading MediaWiki will only be sufficient for people who use
Apache with AllowOverride enabled.

Due to the diversity of uploaded files that we allow, MediaWiki does
not guarantee that uploaded files will be safe if they are interpreted
by the client as some arbitrary file type, such as HTML. We rely on
the web server to send the correct Content-Type header, and we rely on
the web browser to respect it. This XSS issue arises due to IE 6
looking for a file extension in the query string of the URL (i.e.
after the "?"), if no extension is found in path part of the URL.
Masato Kinugawa discovered that the file extension in the path part

MediaWiki security release 1.16.2

Tim Starling — 2011-02-01T23:16:41

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.2, which is a
security release. Two security issues were discovered.

An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected. For more details, see bug 27094:

https://bugzilla.wikimedia.org/show_bug.cgi?id=27094

Security researcher mghack discovered a CSS injection vulnerability.
For Internet Explorer and similar browsers, this is equivalent to an
XSS vulnerability, that is to say, it allows the compromise of wiki
user accounts. For other browsers, it allows private data such as IP
addresses and browsing patterns to be sent to a malicious

MediaWiki and PHP 5.3.5/5.2.17

Tim Starling — 2011-01-13T04:01:57

If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.

CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.

PHP release announcement:
http://www.php.net/archive/2011.php#id2011-01-06-1

Updated Ubuntu packages:
http://www.ubuntu.com/usn/usn-1042-1

MediaWiki security release 1.16.1

Tim Starling — 2011-01-04T06:55:48

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.1, which is a
security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no
protection against "clickjacking". With user or site JavaScript or CSS
enabled, clickjacking can lead to cross-site scripting (XSS), and thus
full compromise of the wiki account of any user who visits a malicious
external site. Clickjacking affects all previous versions of MediaWiki.

Our fix involves denying framing on all pages except normal page views
and a few selected special pages. To be protected, all users need to
use a browser which supports X-Frame-Options. For information about
supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

For more information about this vulnerability and the related patch, see:

<https://bugzilla.wikimedia.org/show_bug.cgi?id=26561>

Other changes in MediaWiki 1.16.1:

* (bug 24981) Allow extensions to access SpecialUpl

MediaWiki security release: 1.16.0 and 1.15.5

Tim Starling — 2010-07-28T07:53:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.16.0 and
MediaWiki 1.15.5. Download links are given at the end of this email.

A data leakage vulnerability was discovered, affecting MediaWiki 1.8
and later. Public caching headers were incorrectly set on API
responses containing private data. By means of a CSRF-style attack,
this can lead to the disclosure of various types of private data
stored on a wiki. All users are advised to upgrade. Full details can
be found at:

https://bugzilla.wikimedia.org/show_bug.cgi?id=24565

A cross-site scripting (XSS) vulnerability was discovered in
profileinfo.php. The vulnerability is only exposed when the script is
explicitly enabled in LocalSettings.php, with $wgEnableProfileInfo = true.

A register_globals arbitrary inclusion vulnerability was discovered in
the 1.16 beta release series, in MediaWikiParserTest.php. This
vulnerability does not affect any stable MediaWiki release. It only
affects wikis which have PHP's reg

MediaWiki security update: 1.15.4 and1.16.0beta3

Tim Starling — 2010-05-28T07:40:46

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.4 and
MediaWiki 1.16 beta 3.

Two security vulnerabilities were discovered.

Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.

Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.