Mailing List Archive

MediaWiki 1.3.9 released [security]
MediaWiki 1.3.9 is a security and bug fix release.

A flaw in upload handling has been found which may allow upload and
execution of arbitrary scripts with the permissions of the web server.
Only wikis that have enabled uploads and have a vulnerable Apache
configuration will be affected, but to be safe all wikis should
upgrade.

Wikis with uploads available should either disable uploads or upgrade
to 1.3.9 immediately; if other files are customized and require merging
changes, includes/SpecialUpload.php may be replaced individually to add
the fix.

(It is also recommended to configure your web server to disable script
execution in the 'images' subdirectory where uploads are placed, which
prevents most attacks even if the wiki fails.)

Changes from 1.3.8:
* Backported "Templates used in this page"-feature of EditPage
* Allow "MySkin" as a default skin.
* (bug 938) Parse namespaces correctly on self-interwiki links
* (bug 1010) fix broken Commons image link on Classic & Cologne Blue
* (bug 1004) Norsk language names for interwiki links changed,
Nauruan language name changed
* Fix upload extension blacklist to protect against vulnerable
Apache configurations

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=289468

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.9.tar.gz?download

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce

Bug report system:
http://bugzilla.wikipedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://mail.wikipedia.org/pipermail/mediawiki-announce/attachments/20041212/c880bb8f/PGP.bin