MediaWiki 1.3.6 is a security update, which contains fixes for several
cross-site scripting and SQL injection vulnerabilities discovered
during a code review. All MediaWiki users are strongly urged to upgrade
to this latest release.
Changes from 1.3.5:
* (bug 296) Variables in user interface messages are no longer
substituted
at install time, so changes to the site name etc should be easier to
make
* (bug 149) Special:Recentchanges "changes from" link preserves limit
* (bug 433) tooltip for "Undelete" tab now labeled correctly
* (bug 439) unclickable "Move" tab no longer displays on protected pages
* (bug 484) graceful deletion of images where the actual file is missing
* (bug 686) fixed [[plural]]s in Catalan localization
* Fixed potential HTML/JavaScript injection attack in the
UnicodeConverter
extension. (This extension is not enabled by default.)
* Fixed potential HTML/JavaScript injection attack via raw page views to
a maliciously crafted wiki page.
* (bug 187, bug 669) Fixed centered thumbnails, using <div> instead of
<span>.
* catch MySQL error 2000 during installation.
* (bug 704) Removed misleading LocalSettings.sample
* Fix cross site scripting bugs in SpecialIpblocklist, SpecialEmailuser
* Fix SQL injection and cross site scripting bugs in SpecialMaintenance
* Fix cross site scripting bugs and possible filename validation
vulnerability
in ImagePage.
* and more of that sort
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=275099
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.6.tar.gz?download
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
-- brion vibber (brion @ pobox.com)
cross-site scripting and SQL injection vulnerabilities discovered
during a code review. All MediaWiki users are strongly urged to upgrade
to this latest release.
Changes from 1.3.5:
* (bug 296) Variables in user interface messages are no longer
substituted
at install time, so changes to the site name etc should be easier to
make
* (bug 149) Special:Recentchanges "changes from" link preserves limit
* (bug 433) tooltip for "Undelete" tab now labeled correctly
* (bug 439) unclickable "Move" tab no longer displays on protected pages
* (bug 484) graceful deletion of images where the actual file is missing
* (bug 686) fixed [[plural]]s in Catalan localization
* Fixed potential HTML/JavaScript injection attack in the
UnicodeConverter
extension. (This extension is not enabled by default.)
* Fixed potential HTML/JavaScript injection attack via raw page views to
a maliciously crafted wiki page.
* (bug 187, bug 669) Fixed centered thumbnails, using <div> instead of
<span>.
* catch MySQL error 2000 during installation.
* (bug 704) Removed misleading LocalSettings.sample
* Fix cross site scripting bugs in SpecialIpblocklist, SpecialEmailuser
* Fix SQL injection and cross site scripting bugs in SpecialMaintenance
* Fix cross site scripting bugs and possible filename validation
vulnerability
in ImagePage.
* and more of that sort
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=275099
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.6.tar.gz?download
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
-- brion vibber (brion @ pobox.com)
Attached Files:
-
PGP.sig (0.18 KB)