Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Mediawiki-announce

MediaWiki 1.3.9 released [security]



Wikipedia mediawiki-announce RSS feed   Index | Next | Previous | View Threaded

brion at pobox

Dec 13, 2004, 12:43 AM

Post #1 of 1 (1021 views)
MediaWiki 1.3.9 released [security]

MediaWiki 1.3.9 is a security and bug fix release.

A flaw in upload handling has been found which may allow upload and
execution of arbitrary scripts with the permissions of the web server.
Only wikis that have enabled uploads and have a vulnerable Apache
configuration will be affected, but to be safe all wikis should

Wikis with uploads available should either disable uploads or upgrade
to 1.3.9 immediately; if other files are customized and require merging
changes, includes/SpecialUpload.php may be replaced individually to add
the fix.

(It is also recommended to configure your web server to disable script
execution in the 'images' subdirectory where uploads are placed, which
prevents most attacks even if the wiki fails.)

Changes from 1.3.8:
* Backported "Templates used in this page"-feature of EditPage
* Allow "MySkin" as a default skin.
* (bug 938) Parse namespaces correctly on self-interwiki links
* (bug 1010) fix broken Commons image link on Classic & Cologne Blue
* (bug 1004) Norsk language names for interwiki links changed,
Nauruan language name changed
* Fix upload extension blacklist to protect against vulnerable
Apache configurations

Release notes:


Wiki admin help mailing list:

Low-traffic release announcements mailing list:

Bug report system:

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://mail.wikipedia.org/pipermail/mediawiki-announce/attachments/20041212/c880bb8f/PGP.bin

Wikipedia mediawiki-announce RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.