brion.vibber at gmail
Feb 4, 2005, 7:58 AM
Post #1 of 1
(989 views)
Permalink
|
|
MediaWiki 1.3.10 released (SECURITY)
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.3.10 is a security release.
In earlier 1.3.x releases an attacker could craft a URL which, when
visited by a particular logged-in user, would execute arbitrary
JavaScript code on the user's browser in the wiki's site context. This
attack has been blocked, and as an extra precaution the user CSS and
JavaScript subpage support is now disabled by default. Sites which want
this ability may set $wgAllowUserCss and $wgAllowUserJs in
LocalSettings.php.
Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.
All wikis running 1.3.x are strongly urged to upgrade to 1.3.10.
=== Changes from 1.3.9 ===
* Logged-in edits and preview of user CSS/JS are now locked to a
session token.
* Per-user CSS and JavaScript subpage customizations now disabled by
default. They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra
precaution. If your web server is configured to serve Ogg files with the
correct Content-Type header, you can re-add it in LocalSettings.php:
~ $wgFileExtensions[] = 'ogg';
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=302313
Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.10.tar.gz?download
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikipedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAyTSwRnhpk1wk44RAtX7AJkBo1tLdta5ooHjg02ZVdnGpyoQKQCgsG1K
8j2DYMGGs3LbysjOrLCvudA=
=eAx7
-----END PGP SIGNATURE-----
|
