gmane.org.wikimedia.mediawiki.announce

MediaWiki 1.19.0 released

Sam Reed — 2012-05-02T14:31:31

I'm happy to announce the availability of the first stable release
of the new MediaWiki 1.19 release series.

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes in
this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the
beta
release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
  generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
  is used (used in the API and the Interwiki extension).

Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
  content language.
* Time and number-formatting magic words also now depend on the page
  content language.
* Bidirectional support further improved after 1.18.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES-1.19;hb=REL1_19
https://www.mediawiki.org/wiki/Release_notes/1.19

Frequently asked questions about upgrading:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0.tar.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0.tar.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki 1.19.0rc1

Sam Reed — 2012-04-26T15:25:48

I'm happy to announce the availability of the first release candidate
release of the new MediaWiki 1.19 release series.

Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.19.0.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports.

****************************************************************
                             What's new?
****************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
  generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
  is used (used in the API and the Interwiki extension).

Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
  content language.
* Time and number-formatting magic words also now depend on the page
  content language.
* Bidirectional support further improved after 1.18.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES-1.19;hb=REL1_19
https://www.mediawiki.org/wiki/Release_notes/1.19


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0rc1.tar.gz

Patch to previous version (1.19.0beta2):
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0rc1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0rc1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0rc1.patch.gz.si
g

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki maintenance release 1.18.3

Sam Reed — 2012-04-26T15:25:43

I would like to announce the release of MediaWiki 1.18.3. This release
correct issues

from the 1.18.2 security release, and also some other bugs.

 

* (bug 35446) Using "{{nse:}}" with an invalid namespace name no longer
throws

  a PHP warning.

* (bug 35567) The whole password reminder e-mail is now sent in the same
language.

* (bug 35961) Hash comparison should always be strict.

* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php

  on line 598.

* Fix broken email confirmation expiration caused by MWCryptRand changes.

 

Full release notes:

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES-1.18;hb=REL1_18

https://www.mediawiki.org/wiki/Release_notes/1.18

 

 

**********************************************************************

Download:

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.tar.gz

 

Patch to previous version (1.18.2):

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.patch.gz

 

GPG signatures:

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.tar.gz.sig

http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.3.patch.gz.sig

 

Public keys:

https://secure.wikimedia.org/keys.html

_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki maintenance release 1.17.4

Sam Reed — 2012-04-26T15:25:39

I would like to announce the release of MediaWiki 1.17.4. This release
correct issues
from the 1.17.3 security release, and also some other bugs.

* (bug 35961) Hash comparison should always be strict.
* Fix broken email confirmation expiration caused by MWCryptRand changes.
* (bug 35671) PHP Notice: Undefined index: gettoken in
includes/api/ApiMain.php
  on line 598.

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=RELEASE-
NOTES;hb=REL1_17
https://www.mediawiki.org/wiki/Release_notes/1.17


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz

Patch to previous version (1.17.3):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki 1.19.0beta2

Sam Reed — 2012-03-22T19:37:34

I'm happy to announce the availability of the second beta release of the
new MediaWiki 1.19 release series.

Please try it out and let us know what you think. Don't run it on any
wikis that you really care about, unless you are both very brave and
very confident in your MediaWiki administration skills.

MediaWiki 1.19 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes
in this version.

Five security issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki. 

Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.

Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

*********************************************************************
                             What's new?
*********************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
  generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
  is used (used in the API and the Interwiki extension).

Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
  content language.
* Time and number-formatting magic words also now depend on the page
  content language.
* Bidirectional support further improved after 1.18.

Release notes
- -------------
Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.19;hb=1.19.0beta2
https://www.mediawiki.org/wiki/Release_notes/1.19

Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.

Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.

Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.

To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git

More information is available at https://www.mediawiki.org/wiki/Git

For more help, please visit the #mediawiki IRC channel on freenode.net
irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l< at >lists.wikimedia.org.


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz

Patch to previous version (1.19.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si
g
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz.
sig
http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc
h.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki security and maintenance release1.17.3

Sam Reed — 2012-03-22T19:37:29

I would like to announce the release of MediaWiki 1.17.3. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki. 

Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.

Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES;hb=1.17.3
https://www.mediawiki.org/wiki/Release_notes/1.17

Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.

Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.

Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.

To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git

More information is available at https://www.mediawiki.org/wiki/Git

For more help, please visit the #mediawiki IRC channel on freenode.net
irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l< at >lists.wikimedia.org.


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.tar.gz

Patch to previous version (1.17.2), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.3.patch.gz.
sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki security and maintenance release1.18.2

Sam Reed — 2012-03-22T19:37:32

I would like to announce the release of MediaWiki 1.18.2. Five security
issues were discovered.

It was discovered that the api had a cross-site request forgery (CSRF)
vulnerability in the block/unblock modules. It was possible for a user
account with the block privileges to block or unblock another user without
providing a token.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212

It was discovered that the resource loader can leak certain kinds of private
data across domain origin boundaries, by providing the data as an executable
JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of
CSRF
protection tokens. This allows compromise of the wiki's user accounts, say
by
changing the user's email address and then requesting a password reset.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907

Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF)
vulnerability in Special:Upload. Modern browsers (since at least as early as
December 2010) are able to post file uploads without user interaction,
violating previous security assumptions within MediaWiki. 

Depending on the wiki's configuration, this vulnerability could lead to
further
compromise, especially on private wikis where the set of allowed file types
is
broader than on public wikis. Note that CSRF allows compromise of a wiki
from
an external website even if the wiki is behind a firewall.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317

George Argyros and Aggelos Kiayias reported that the method used to generate
password reset tokens is not sufficiently secure. Instead we use various
more
secure random number generators, depending on what is available on the
platform. Windows users are strongly advised to install either the openssl
extension or the mcrypt extension for PHP so that MediaWiki can take
advantage
of the cryptographic random number facility provided by Windows.

Any extension developers using mt_rand() to generate random numbers in
contexts
where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

A long-standing bug in the wikitext parser (bug 22555) was discovered to
have
security implications. In the presence of the popular CharInsert extension,
it
leads to cross-site scripting (XSS). XSS may be possible with other
extensions
or perhaps even the MediaWiki core alone, although this is not confirmed at
this time. A denial-of-service attack (infinite loop) is also possible
regardless of configuration.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315

Full release notes:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE
LEASE-NOTES-1.18;hb=1.18.2
https://www.mediawiki.org/wiki/Release_notes/1.18

Co-inciding with these security releases, the MediaWiki source code
repository has
moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3)
to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the
relevant
commits for these releases will not be appearing in our SVN repository. If
you use
SVN checkouts of MediaWiki for version control, you need to migrate these to
Git.
If you up are using tarballs, there should be no change in the process for
you.

Please note that any WMF-deployed extensions have also been migrated to Git
also, along with some other non WMF-maintained ones.

Please bear with us, some of the Git related links for this release may not
work instantly,
but should later on.

To do a simple Git clone, the command is:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git

More information is available at https://www.mediawiki.org/wiki/Git

For more help, please visit the #mediawiki IRC channel on freenode.net
irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list
at mediawiki-l< at >lists.wikimedia.org.


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz

Patch to previous version (1.18.1), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.2.patch.gz.
sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki 1.19.0beta1

Sam Reed — 2012-03-07T19:09:27

I'm happy to announce the availability of the first beta release of the new
MediaWiki
1.19 release series.

Please try it out and let us know what you think. Don't run it on any wikis
that you really
care about, unless you are both very brave and very confident in your
MediaWiki
administration skills.

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a
summary of the major changes of interest to users. You can consult the
RELEASE-NOTES-1.19 file for the full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

MediaWiki 1.19 brings the usual host of various bugfixes and new features.

Comprehensive list of what's new is in the release notes.

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
piles of
  generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
cache
  is used (used in the API and the Interwiki extension).

Internationalization
- --------------------
* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
  content language.
* Time and number-formatting magic words also now depend on the page
  content language.
* Bidirectional support further improved after 1.18.

Release notes
- -------------
Full release notes:
https://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_19_0beta1/phase3/RELEA
SE-NOTES-1.19
https://www.mediawiki.org/wiki/Release_notes/1.19


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta1.tar.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta1.tar.gz.si
g

Public keys:
https://secure.wikimedia.org/keys.html



_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki security and maintenance release1.18.1

Sam Reed — 2012-01-11T21:50:26

I would like to announce the release of MediaWiki 1.18.1. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

1.18.1 is also the first maintenance release of the 1.18 series, bringing
numerous bug fixes
to MediaWiki for issues found in the 1.18.0 release.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_18_1/phase3/RELEASE-NOT
ES


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz

Patch to previous version (1.18.0), without interface text:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-1.18.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.18/mediawiki-i18n-1.18.1.patch.gz.
sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to: 
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki security release 1.17.2

Sam Reed — 2012-01-11T21:50:21

I would like to announce the release of MediaWiki 1.17.2. One security
issue was discovered.

Roan Kattouw discovered an issue with the API, where prop=revisions would
expose
deleted text to unprivileged users through cache pollution.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=33117

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_17_2/phase3/RELEASE-NOT
ES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz

Patch to previous version (1.17.1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.2.patch.gz.
sig

Public keys:
https://secure.wikimedia.org/keys.html


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to: 
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

MediaWiki 1.17.0 released

Tim Starling — 2011-06-22T04:56:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are proud to announce the first stable release of the 1.17 series.

Selected changes since MediaWiki 1.16 that may be of interest:

* A new installer has been introduced. It has a wizard-style interface
  which is translated into many languages. Many shortcomings in the old
  installer were addressed with this rewrite. Note that it is no longer
  required for the config directory to be made writable by the webserver.
  Instead the generated LocalSettings.php file is offered as a download,
  which you must then upload to the wiki's base directory.

* ResourceLoader, a new framework for delivering client-side resources
  such as JavaScript and CSS, has been introduced. These resources are
  now delivered through the new entry point script "load.php", instead of
  as static files served directly by the web server. This allows
  minification, compression and client-side caching to be used more
  effectively, which should provide a net performance improvement for
  most users.

* Category sorting has been improved.
   * Sorting is now case insensitive.
   * Sub-categories, pages and files can now be paged separately.
   * When several pages are given the same sort key, they sort by their
     names instead of randomly.

* The lowest supported version of PHP is now 5.2.3. If necessary, please
  upgrade PHP prior to upgrading MediaWiki.

* Oracle Database support has been improved, and is now ready for beta
  testing. If you work in an environment where Oracle is readily
  available, and you can't get access to MySQL, this may be a useful
  alternative for you. Please try it out and let us know if it works for
  you. Oracle support is not yet recommended for use in production.

For more information about what's new in the MediaWiki 1.17 branch, see:
http://www.mediawiki.org/wiki/MediaWiki_1.17

Frequently asked questions about upgrading:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading

Changes since 1.17.0rc1:
* Fixed syntax error in generated LocalSettings.php when a non-default
user rights profile is chosen.
* (bug 29399) Fixed PostgreSQL installation when the DB user for
installation is the same as the one for web access.
* (bug 29233) Fixed failover for DB slave servers. When a DB slave
went down, an error was immediately shown to the user, instead of
trying another slave. Was broken since 1.17 beta 1.
* (bug 29278) Fixed PHP fatal error when attempting to add text to a
page via a redirect.
* (bug 29408) Fixed uploads of files with MIME types that aren't
detected by MediaWiki.

Full release notes:
http://www.mediawiki.org/wiki/Release_notes/1.17


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz

Patch to previous version (1.17.0rc1):
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4BdgAACgkQgkA+Wfn4zXkHuACfRZ4ih2jCGLF2mpzn85iCifzk
vUcAnj8Unua4E4p0uyOeXh96Jqb14pkY
=E8Vn
-----END PGP SIGNATURE-----

MediaWiki release candidate 1.17.0rc1

Tim Starling — 2011-06-14T02:54:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A release candidate for the MediaWiki 1.17 branch is now available.
Please test it and let us know what you think of it. Barring new bug
reports, this release candidate will soon be released as MediaWiki 1.17.0.

Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports. Many bugs have been
fixed, especially in the new installer.

Full release notes:
http://www.mediawiki.org/wiki/Release_notes/1.17

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz

Patch to previous version (1.17.0beta1), without interface text:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.0rc1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0rc1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.17/mediawiki-i18n-1.17.0rc1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk32zX0ACgkQgkA+Wfn4zXld/wCfRXHminU6wgreV59TerEQ0Uhc
igUAnj7GGqyrr6WMk2GCPxPdwo2x4Keb
=zZa3
-----END PGP SIGNATURE-----

MediaWiki 1.17 beta 1

Tim Starling — 2011-05-05T12:39:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm happy to announce the availability of the first beta release of
the new MediaWiki 1.17 release series.

Please try it out and let us know what you think. Don't run it on
any wikis that you really care about, unless you are both very
brave and very confident in your MediaWiki administration skills.

MediaWiki 1.17 is a very large release that contains many new
features and bug fixes. This is a summary of the major changes of
interest to users. You can consult the RELEASE-NOTES file for the
full list of changes in this version.

*********************************************************************
                             What's new?
*********************************************************************

PHP 5.2.3
- ---------

We now require PHP version 5.2.3 or later. Why? Well, it brings with
it some tools for your beloved developers. It was released on June
1, 2007, so we believe this requirement will not be a hassle for
administrators. Be sure to check your PHP installation and contact
your host if it runs an outdated PHP version.

New installer
- -------------

MediaWiki 1.17 is shipping with a completely redesigned installer to
fix a lot of outstanding bugs, clean up the code quality, and make
it easier to use. Notably, you can now run upgrades from the web
without having to move LocalSettings.php. A couple of other notable
changes:

    * The installer can now be fully localized like the rest of the
      software and contains numerous help dialogs.

    * The installer script directory has been renamed from config/
      to mw-config/.

    * You now download your generated LocalSettings.php at install
      completion, rather than writing it straight to the
      configuration directory. The previous behavior was a security
      risk.

    * IBM DB2 and MSSQL support were dropped from the installer.

ResourceLoader
- --------------

As web browsers have become more capable, the software that
MediaWiki runs on them has become more complex. This trend has
resulted in developers needing an efficient way to package and
deliver code to web browsers. To address this, MediaWiki 1.17
ships with ResourceLoader: a framework which combines and minifies
CSS and JavaScript before delivering them to the web browser.
ResourceLoader improves performance, while also making it easier to
write client-side features. ResourceLoader allows developers to
organize scripts, styles, and messages into named modules. Any
number of modules can be loaded through a single request, improving
page load times. Code is minified automatically and loaded when
needed, reducing unnecessary downloads. Other advanced features
include the ability embed images in style sheets using data URIs, or
automatically flipping horizontal information in style sheets for
right-to-left user interfaces.

Category sorting
- ----------------

Category sorting has been drastically improved.

    * Sorting is now case insensitive.

    * Sub-categories, pages and files can now be paged separately.

    * When several pages are given the same sort key, they sort by
      their names instead of randomly.

Language support
- ----------------

As with every release, MediaWiki 1.17 brings improved support for
languages in MediaWiki, with improved translation and features for
the many supported languages.

New languages:

    * Moroccan Spoken Arabic (ary)
    * Banjar (bjn)
    * Kabardian (Cyrillic) (kbd-cyrl)
    * Latgalian (ltg)
    * Minangkabau (min)
    * Dutch (informal) (nl-informal)
    * Rusyn (rue)

API
- ---

API bug fixes and new features have been added to 1.17, providing
more options for input and output.

    * API output can now be formatted by PHP's var_export() (format
      type is dbg/dbgfm).

    * An API module was added to list page properties.

    * PARAM_REQUIRED can now be used on parameters, to have the API
      enforce existence before code even reaches the module.

    * The API now has a Really Simple Discovery module, useful for
      publishing service information by the API.

The API contains 3 breaking changes against previous releases:

    * action=patrol now requires POST.

    * The patrol token is no longer the same as edit token.

    * Session keys returned by ApiUpload are now strings instead of
      integers.

Other
- -----

    * Interwiki links in articles are now recorded in a separate
      table.

    * Users can now add CSS and JS to all skins by using
      User:<name>/common.css and User:<name>/common.js.

Release notes
- -------------

Complete release notes are at

http://www.mediawiki.org/wiki/Release_notes/1.17

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0beta1.tar.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0beta1.tar.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3CmmwACgkQgkA+Wfn4zXl+EwCfZqqPPuFrSSF68hxzQfM6SXgr
gH0An2xr18+vNml2pv0D4XSPuLRDf/ie
=m5Rw
-----END PGP SIGNATURE-----

MediaWiki security release 1.16.5

Tim Starling — 2011-05-05T05:52:11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.5. Two security
issues were discovered.

The first issue is yet another recurrence of the Internet Explorer 6
XSS vulnerability that caused the release of 1.16.4. It was pointed
out that there are dangerous extensions with more than four
characters, so the regular expressions we introduced had to be updated
to match longer extensions.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

The second issue allows unauthenticated users to gain additional
rights, on wikis where $wgBlockDisablesLogin is enabled. By default,
it is disabled. The issue occurs when a malicious user sends cookies
which contain the user name and user ID of a "victim" account. In
certain circumstances, the rights of the victim are loaded and persist
throughout the malicious request, allowing the malicious user to
perform actions with the victim's rights.

$wgBlockDisablesLogin is a feature which is sometimes used on private
wikis to prevent users who have an account from logging in and viewing
content on the wiki.

For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=28639

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.5.tar.gz

Patch to previous version (1.16.4), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.5.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.5.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3COwsACgkQgkA+Wfn4zXmfgwCfYuYKhtC/EFlXvUFXTMDeqahh
zTcAoN0iL2Lg1uTOiWNmNJVnIDOXdTTA
=dU8u
-----END PGP SIGNATURE-----

MediaWiki security release 1.16.4

Tim Starling — 2011-04-14T07:47:18

Our patch for the Internet Explorer 6 XSS issue (bug 28235) released
two days ago in 1.16.3 was insufficient to fix that bug. The original
reporter, Masato Kinugawa, pointed out the flaw on bug 28507. So we
are doing another release, which contains a second attempt at fixing
the issue.

Apologies to everyone for the inconvenience. Big thanks go to Masato
Kinugawa for helping to keep MediaWiki secure. Thanks also to Roan
Kattouw who helped me test the patch this time around, so that we can
hopefully avoid a repeat.

It is necessary to upgrade MediaWiki to avoid an XSS vulnerability for
Internet Explorer clients, version 6 and earlier. Also, if you used
the Apache configuration I suggested in the previous release
announcement, you should update it to:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} \.[a-z0-9]{1,4}(#|\?|$) [nocase]
    RewriteRule . - [forbidden]


We missed the fact that there can be more than one question mark in a
URL. In certain circumstances, IE 6 will use a file extension
immediately before a question mark character, regardless of how many
question marks precede it. For example, with the URL:

http://example.com/a?b?c.html?d?e

IE 6 will see the file extension as ".html".

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz

Patch to previous version (1.16.3):
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

MediaWiki security release 1.16.3

Tim Starling — 2011-04-12T03:23:28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.3, which is a
security release. Three security issues were discovered.

Masato Kinugawa discovered a cross-site scripting (XSS) issue, which
affects Internet Explorer clients only, and only version 6 and
earlier. Web server configuration changes are required to fix this
issue. Upgrading MediaWiki will only be sufficient for people who use
Apache with AllowOverride enabled.

Due to the diversity of uploaded files that we allow, MediaWiki does
not guarantee that uploaded files will be safe if they are interpreted
by the client as some arbitrary file type, such as HTML. We rely on
the web server to send the correct Content-Type header, and we rely on
the web browser to respect it. This XSS issue arises due to IE 6
looking for a file extension in the query string of the URL (i.e.
after the "?"), if no extension is found in path part of the URL.
Masato Kinugawa discovered that the file extension in the path part
can be hidden from IE 6 by substituting the "." with "%2E".

To fix this issue, configure your web server to deny requests with
URLs that have a path part ending in a dot followed by a dangerous
file extension. For example, in Apache with mod_rewrite:

    RewriteEngine On
    RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
    RewriteRule . - [forbidden]

Upgrading MediaWiki is necessary to fix this issue in
dynamically-generated content. This issue is easier to exploit using
dynamically generated content, since it requires no special
privileges. Accounts on both public and private wikis can be
compromised by clicking a malicious link in an email or website. For
more details, see bug 28235.

Wikipedia user Suffusion of Yellow discovered a CSS validation error
in the wikitext parser. This is an XSS issue for Internet Explorer
clients, and a privacy loss issue for other clients since it allows
the embedding of arbitrary remote images. For more details, see bug 28450.

MediaWiki developer Happy-Melon discovered that the transwiki import
feature neglected to perform access control checks on form submission.
The transwiki import feature is disabled by default. If it is enabled,
it allows wiki pages to be copied from a remote wiki listed in
$wgImportSources. The issue means that any user can trigger such an
import to occur. For more details, see bug 28449.

The localisations were updated using content from translatewiki.net.

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.tar.gz

Patch to previous version (1.16.2), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk2jxbAACgkQgkA+Wfn4zXn38gCWISDEZuC+Ap3Z4aBfibnuNSU1
EgCfeL2lo/4XtCuoKOwah0YbuaHyf5I=
=S2JZ
-----END PGP SIGNATURE-----

MediaWiki security release 1.16.2

Tim Starling — 2011-02-01T23:16:41

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.2, which is a
security release. Two security issues were discovered.

An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected. For more details, see bug 27094:

https://bugzilla.wikimedia.org/show_bug.cgi?id=27094

Security researcher mghack discovered a CSS injection vulnerability.
For Internet Explorer and similar browsers, this is equivalent to an
XSS vulnerability, that is to say, it allows the compromise of wiki
user accounts. For other browsers, it allows private data such as IP
addresses and browsing patterns to be sent to a malicious external web
server. It affects all versions of MediaWiki. All users are advised to
upgrade. For more information, see bug 27093:

https://bugzilla.wikimedia.org/show_bug.cgi?id=27093

This vulnerability was originally reported to the Mozilla Security
Group and has been assigned CVE-2011-0047.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES


**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.tar.gz

Patch to previous version (1.16.1), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.2.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.2.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1IlFkACgkQgkA+Wfn4zXlEYwCgsHhVstfDbKF7nUL2lshIAulT
EN8An3oTYgyTz9LxngFtCvecdSry4ol7
=bZrB
-----END PGP SIGNATURE-----

MediaWiki and PHP 5.3.5/5.2.17

Tim Starling — 2011-01-13T04:01:57

If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.

CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.

PHP release announcement:
http://www.php.net/archive/2011.php#id2011-01-06-1

Updated Ubuntu packages:
http://www.ubuntu.com/usn/usn-1042-1

MediaWiki security release 1.16.1

Tim Starling — 2011-01-04T06:55:48

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.1, which is a
security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no
protection against "clickjacking". With user or site JavaScript or CSS
enabled, clickjacking can lead to cross-site scripting (XSS), and thus
full compromise of the wiki account of any user who visits a malicious
external site. Clickjacking affects all previous versions of MediaWiki.

Our fix involves denying framing on all pages except normal page views
and a few selected special pages. To be protected, all users need to
use a browser which supports X-Frame-Options. For information about
supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

For more information about this vulnerability and the related patch, see:

<https://bugzilla.wikimedia.org/show_bug.cgi?id=26561>

Other changes in MediaWiki 1.16.1:

* (bug 24981) Allow extensions to access SpecialUpload variables again
* (bug 24724) list=allusers was out by 1 (shows total users - 1)
* (bug 24166) Fixed API error when using rvprop=tags
* For wikis using French as a content language, Special:Téléchargement
works again as an alias for Special:Upload.
* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in
1.16.0)
* (bug 25248) Fixed paraminfo errors in certain API modules.
* The installer now has improved handling for situations where
safe_mode is active or exec() and similar functions are disabled.
* (bug 19593) Specifying --server in now works for all maintenance
scripts.
* Fixed $wgLicenseTerms register globals.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NOTES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz

Patch to previous version (1.16.0), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0ixHAACgkQgkA+Wfn4zXmOcgCePqvDrlaw1FZLbtOfx/3tEIID
GQkAn3eSSdTbBCOqXLvXNiG4Vm0kXl7r
=haR1
-----END PGP SIGNATURE-----

MediaWiki security release: 1.16.0 and 1.15.5

Tim Starling — 2010-07-28T07:53:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.16.0 and
MediaWiki 1.15.5. Download links are given at the end of this email.

A data leakage vulnerability was discovered, affecting MediaWiki 1.8
and later. Public caching headers were incorrectly set on API
responses containing private data. By means of a CSRF-style attack,
this can lead to the disclosure of various types of private data
stored on a wiki. All users are advised to upgrade. Full details can
be found at:

https://bugzilla.wikimedia.org/show_bug.cgi?id=24565

A cross-site scripting (XSS) vulnerability was discovered in
profileinfo.php. The vulnerability is only exposed when the script is
explicitly enabled in LocalSettings.php, with $wgEnableProfileInfo = true.

A register_globals arbitrary inclusion vulnerability was discovered in
the 1.16 beta release series, in MediaWikiParserTest.php. This
vulnerability does not affect any stable MediaWiki release. It only
affects wikis which have PHP's register_globals feature enabled,
despite our strong advice to the contrary. Apache installations with
AllowOverride enabled may be protected against this vulnerability,
since there is a .htaccess file with "Deny from all" in the relevant path.

In both releases, the interface text was updated with new translations
from translatewiki.net.

Full release notes for 1.15.5:
<http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_5/phase3/RELEASE-NOTES>

Full release notes for 1.16.0:
<http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0/phase3/RELEASE-NOTES>

Upgrade FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ#Upgrading

**********************************************************************

We are proud to announce the first stable release of the 1.16 series.
Selected changes that may be of interest since MediaWiki 1.15 are:

* Watchlists now have RSS/Atom feeds. RSS feeds generally are now
hidden, since Atom is a better protocol and is supported by virtually
all clients.

* It's now possible to block users from sending email via
Special:Emailuser.

* The maintenance script system was overhauled. Most maintenance
scripts now have a useful help page when you run them with --help.

* AdminSettings.php is no longer required in order to run maintenance
scripts. You can just set $wgDBadminuser and $wgDBadminpassword in
your LocalSettings.php instead.

* The preferences system was overhauled. Preferences are stored in a
more compact format. Changes to site default preferences will
automatically affect all users who have not chosen a different preference.

* Support for SQLite was improved. Some broken features were fixed,
and it now has an efficient full-text search.

* The user groups ACL system was improved by allowing rights to be
revoked, instead of just granted.

* A new localisation caching system was introduced, which will make
MediaWiki faster for almost everyone, especially when lots of
extensions are enabled.

By default, this new system makes a lot of database queries. If your
database is particularly slow, or if your system administrator limits
your query count, or if you want to squeeze as much performance as
possible out of Mediawiki, set $wgCacheDirectory to a writable path on
the local filesystem. Make sure you have the DBA extension for PHP
installed, this will improve performance further.

**********************************************************************
   1.15.5
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.5.tar.gz

Patch to previous version (1.15.4), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.5.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.5.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.5.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.5.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.5.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   1.16.0
**********************************************************************

Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0.tar.gz

Patch to previous version (1.16.0beta3), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxP4e8ACgkQgkA+Wfn4zXkWIgCgmr9dHmPtQqk+2bdQaHkLGss3
7W8AoJqgkJsurVVzWFBkr3TgrswsWzcd
=L7ad
-----END PGP SIGNATURE-----

MediaWiki security update: 1.15.4 and1.16.0beta3

Tim Starling — 2010-05-28T07:40:46

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a security and bugfix release of MediaWiki 1.15.4 and
MediaWiki 1.16 beta 3.

Two security vulnerabilities were discovered.

Kuriaki Takashi discovered an XSS vulnerability in MediaWiki. It
affects Internet Explorer clients only. The issue is presumed to
affect all recent versions of IE, it has been confirmed on IE 6 and 8.

Noncompliant CSS parsing behaviour in Internet Explorer allows
attackers to construct CSS strings which are treated as safe by
previous versions of MediaWiki, but are decoded to unsafe strings by
Internet Explorer. Full details can be found at:
https://bugzilla.wikimedia.org/show_bug.cgi?id=23687

A CSRF vulnerability was discovered in our login interface. Although
regular logins are protected as of 1.15.3, it was discovered that the
account creation and password reset features were not protected from
CSRF. This could lead to unauthorised access to private wikis. See
https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 for details.

These vulnerabilities are serious and all users are advised to
upgrade. Remember that CSRF and XSS vulnerabilities can be used even
against firewall-protected intranet installations, as long as the
attacker can guess the URL.

In addition to the security fix, MediaWiki 1.16 beta 3 also contains
many useful bug fixes to 1.16 beta 2. We expect to be able to do a
stable release of the 1.16 branch within the next week or two.

Both releases contain localisation updates courtesy of translatewiki.net.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_4/phase3/RELEASE-NOTES
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta3/phase3/RELEASE-NOTES


**********************************************************************
   1.15.4
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.tar.gz

Patch to previous version (1.15.3), without interface text:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.4.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.4.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.15/mediawiki-i18n-1.15.4.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

**********************************************************************
   1.16 beta 3
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.tar.gz

Patch to previous version (1.16.0beta2), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta3.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta3.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.0beta3.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv/c34ACgkQgkA+Wfn4zXnCTgCfb7CnMBkZZpcffdUauy8i4LAV
KN4Anj41b/jPfzqZwNfmMIH1/8NMaG9/
=k2UI
-----END PGP SIGNATURE-----