brion.vibber at gmail
Feb 4, 2005, 7:58 AM
-----BEGIN PGP SIGNED MESSAGE-----
MediaWiki 1.3.10 released (SECURITY)
MediaWiki 1.3.10 is a security release.
In earlier 1.3.x releases an attacker could craft a URL which, when
visited by a particular logged-in user, would execute arbitrary
attack has been blocked, and as an extra precaution the user CSS and
this ability may set $wgAllowUserCss and $wgAllowUserJs in
Additional protections have been added against off-site form submissions
hijacking user credentials. Authors of bot tools may need to update
their code to include additional fields.
All wikis running 1.3.x are strongly urged to upgrade to 1.3.10.
=== Changes from 1.3.9 ===
* Logged-in edits and preview of user CSS/JS are now locked to a
default. They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra
precaution. If your web server is configured to serve Ogg files with the
correct Content-Type header, you can re-add it in LocalSettings.php:
~ $wgFileExtensions = 'ogg';
Low-traffic release announcements mailing list:
Wiki admin help mailing list:
Bug report system:
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----