[Pkg-mediawiki-devel] [MediaWiki-announce] MediaWiki 1.9.3, 1.8.4, 1.7.3, 1.6.10 released

Brion Vibber brion at pobox.com
Wed Feb 21 03:49:40 CET 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

February 20, 2007

MediaWiki 1.9.3 is a security and bug-fix update to the Winter 2007
quarterly release. Minor compatibility fixes for IIS and PostgreSQL are
included.

An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
* (bug 8984) Fix a database error in Special:Recentchangeslinked
  when using the PostgreSQL database.
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
  'text/html' by default when the script didn't specify more details,
  which some inconsiderate browsers consider a license to autodetect
  the deadly, hard-to-escape UTF-7.
    This fixes an issue with the Ajax interface error message on MSIE
  when $wgUseAjax is enabled (not default configuration); this UTF-7
  variant on a previously fixed attack vector was discovered by Moshe BA
  from BugSec: http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type


Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_3/phase3/RELEASE-NOTES

Download:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.3.tar.gz

Patch against 1.9.2:
http://download.wikimedia.org/mediawiki/1.9/mediawiki-1.9.3.patch

Downloads, checksums, and GPG signatures for all versions:
http://download.wikimedia.org/mediawiki/1.9/
http://download.wikimedia.org/mediawiki/1.8/
http://download.wikimedia.org/mediawiki/1.7/
http://download.wikimedia.org/mediawiki/1.6/

Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ

Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikimedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF27NDwRnhpk1wk44RAhmmAKCVZNGTidpNmCJUwUs5JA1CIJL3OwCfUsxy
uny25mn0vihjgNoDxl2ZDiw=
=bvTp
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-announce mailing list
MediaWiki-announce at lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

More information about the Pkg-mediawiki-devel mailing list