brion at pobox
Sep 21, 2005, 12:52 PM
Post #1 of 1
(1277 views)
Permalink
|
|
MediaWiki 1.3.16, 1.4.10 released [SECURITY]
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MediaWiki 1.4.10 and 1.3.16 are security maintenance releases. A bug in
edit submission handling could cause corruption of the previous revision
in the database if an abnormal URL was used, such as those used by some
spambots.
Affected releases:
* 1.4.x <= 1.4.9; fixed in 1.4.10
* 1.3.x <= 1.3.15; fixed in 1.3.16
1.5 release candidates are not affected by this problem.
All publicly editable wikis are strongly recommended to upgrade
immediately. 1.4 releases can be manually patched by changing this bit
in EditPage.php:
~ function importFormData( &$request ) {
~ if( $request->wasPosted() ) {
to:
~ function importFormData( &$request ) {
~ if( $request->getVal( 'action' ) == 'submit' &&
~ $request->wasPosted() ) {
1.3 releases can be manually patched by changing this bit in EditPage.php:
~ if( $this->tokenOk( $request ) ) {
~ $this->save = $request->wasPosted() && !$this->preview;
~ } else {
to:
~ if( $this->tokenOk( $request ) ) {
~ $this->save = $request->getVal( 'action' ) == 'submit' &&
~ $request->wasPosted() && !$this->preview;
~ } else {
Release notes:
http://sourceforge.net/project/shownotes.php?release_id=358163
http://sourceforge.net/project/shownotes.php?release_id=358162
Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.4.10.tar.gz?download
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.16.tar.gz?download
MD5 checksum:
mediawiki-1.4.10.tar.gz 2376f043109066d19830d05b6682c64b
mediawiki-1.3.16.tar.gz 7dae5d937c6803d970e803ddece750dc
Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ
Low-traffic release announcements mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Bug report system:
http://bugzilla.wikimedia.org/
Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDMbnuwRnhpk1wk44RAhV5AJ4/1UljYlTQ6paaSkdX/Bkz8Kw6hACfVDuq
Imq2VMNjyi2TRyziRRa3O0Q=
=0YtO
-----END PGP SIGNATURE-----
_______________________________________________
MediaWiki-announce mailing list
MediaWiki-announce [at] wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce
|
