On Mar 23, 2012 3:38 AM, "Sam Reed" <[email protected]> wrote: > > I'm happy to announce the availability of the second beta release of the > new MediaWiki 1.19 release series. > > Please try it out and let us know what you think. Don't run it on any > wikis that you really care about, unless you are both very brave and > very confident in your MediaWiki administration skills. > > MediaWiki 1.19 is a large release that contains many new features and > bug fixes. This is a summary of the major changes of interest to users. > You can consult the RELEASE-NOTES-1.19 file for the full list of changes > in this version. > > Five security issues were discovered. > > It was discovered that the api had a cross-site request forgery (CSRF) > vulnerability in the block/unblock modules. It was possible for a user > account with the block privileges to block or unblock another user without > providing a token. > > For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212 > > It was discovered that the resource loader can leak certain kinds of private > data across domain origin boundaries, by providing the data as an executable > JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of > CSRF > protection tokens. This allows compromise of the wiki's user accounts, say > by > changing the user's email address and then requesting a password reset. > > For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907 > > Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF) > vulnerability in Special:Upload. Modern browsers (since at least as early as > December 2010) are able to post file uploads without user interaction, > violating previous security assumptions within MediaWiki. > > Depending on the wiki's configuration, this vulnerability could lead to > further > compromise, especially on private wikis where the set of allowed file types > is > broader than on public wikis. Note that CSRF allows compromise of a wiki > from > an external website even if the wiki is behind a firewall. > > For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317 > > George Argyros and Aggelos Kiayias reported that the method used to generate > password reset tokens is not sufficiently secure. Instead we use various > more > secure random number generators, depending on what is available on the > platform. Windows users are strongly advised to install either the openssl > extension or the mcrypt extension for PHP so that MediaWiki can take > advantage > of the cryptographic random number facility provided by Windows. > > Any extension developers using mt_rand() to generate random numbers in > contexts > where security is required are encouraged to instead make use of the > MWCryptRand class introduced with this release. > > For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078
I came across this mail and found this link still not viewable. > > A long-standing bug in the wikitext parser (bug 22555) was discovered to > have > security implications. In the presence of the popular CharInsert extension, > it > leads to cross-site scripting (XSS). XSS may be possible with other > extensions > or perhaps even the MediaWiki core alone, although this is not confirmed at > this time. A denial-of-service attack (infinite loop) is also possible > regardless of configuration. > > For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 > > ********************************************************************* > What's new? > ********************************************************************* > > MediaWiki 1.19 brings the usual host of various bugfixes and new features. > > Comprehensive list of what's new is in the release notes. > > * Bumped MySQL version requirement to 5.0.2. > * Disable the partial HTML and MathML rendering options for Math, > and render as PNG by default. > * MathML mode was so incomplete most people thought it simply didn't work. > * New skins/common/*.css files usable by skins instead of having to copy > piles of > generic styles from MonoBook or Vector's css. > * The default user signature now contains a talk link in addition to the > user link. > * Searching blocked usernames in block log is now clearer. > * Better timezone recognition in user preferences. > * Extensions can now participate in the extraction of titles from URL paths. > * The command-line installer supports various RDBMSes better. > * The interwiki links table can now be accessed also when the interwiki > cache > is used (used in the API and the Interwiki extension). > > Internationalization > - -------------------- > * More gender support (for instance in user lists). > * Add languages: Canadian English. > * Language converter improved, e.g. it now works depending on the page > content language. > * Time and number-formatting magic words also now depend on the page > content language. > * Bidirectional support further improved after 1.18. > > Release notes > - ------------- > Full release notes: > https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE > LEASE-NOTES-1.19;hb=1.19.0beta2 > https://www.mediawiki.org/wiki/Release_notes/1.19 > > Co-inciding with these security releases, the MediaWiki source code > repository has > moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3 ) > to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the > relevant > commits for these releases will not be appearing in our SVN repository. If > you use > SVN checkouts of MediaWiki for version control, you need to migrate these to > Git. > If you up are using tarballs, there should be no change in the process for > you. > > Please note that any WMF-deployed extensions have also been migrated to Git > also, along with some other non WMF-maintained ones. > > Please bear with us, some of the Git related links for this release may not > work instantly, > but should later on. > > To do a simple Git clone, the command is: > git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git > > More information is available at https://www.mediawiki.org/wiki/Git > > For more help, please visit the #mediawiki IRC channel on freenode.net > irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list > at [email protected]. > > > ********************************************************************** > Download: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz > > Patch to previous version (1.19.0beta1), without interface text: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz > Interface text changes: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc > h.gz > > GPG signatures: > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si > g > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz. > sig > http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc > h.gz.sig > > Public keys: > https://secure.wikimedia.org/keys.html > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
