Surely this reply was a mistake?
On Thu, May 8, 2014 at 11:46 PM, Liangent <[email protected]> wrote: > On Mar 23, 2012 3:38 AM, "Sam Reed" <[email protected]> wrote: > > > > I'm happy to announce the availability of the second beta release of the > > new MediaWiki 1.19 release series. > > > > Please try it out and let us know what you think. Don't run it on any > > wikis that you really care about, unless you are both very brave and > > very confident in your MediaWiki administration skills. > > > > MediaWiki 1.19 is a large release that contains many new features and > > bug fixes. This is a summary of the major changes of interest to users. > > You can consult the RELEASE-NOTES-1.19 file for the full list of changes > > in this version. > > > > Five security issues were discovered. > > > > It was discovered that the api had a cross-site request forgery (CSRF) > > vulnerability in the block/unblock modules. It was possible for a user > > account with the block privileges to block or unblock another user > without > > providing a token. > > > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=34212 > > > > It was discovered that the resource loader can leak certain kinds of > private > > data across domain origin boundaries, by providing the data as an > executable > > JavaScript file. In MediaWiki 1.18 and later, this includes the leaking > of > > CSRF > > protection tokens. This allows compromise of the wiki's user accounts, > say > > by > > changing the user's email address and then requesting a password reset. > > > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=34907 > > > > Jan Schejbal of Hatforce.com discovered a cross-site request forgery > (CSRF) > > vulnerability in Special:Upload. Modern browsers (since at least as early > as > > December 2010) are able to post file uploads without user interaction, > > violating previous security assumptions within MediaWiki. > > > > Depending on the wiki's configuration, this vulnerability could lead to > > further > > compromise, especially on private wikis where the set of allowed file > types > > is > > broader than on public wikis. Note that CSRF allows compromise of a wiki > > from > > an external website even if the wiki is behind a firewall. > > > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=35317 > > > > George Argyros and Aggelos Kiayias reported that the method used to > generate > > password reset tokens is not sufficiently secure. Instead we use various > > more > > secure random number generators, depending on what is available on the > > platform. Windows users are strongly advised to install either the > openssl > > extension or the mcrypt extension for PHP so that MediaWiki can take > > advantage > > of the cryptographic random number facility provided by Windows. > > > > Any extension developers using mt_rand() to generate random numbers in > > contexts > > where security is required are encouraged to instead make use of the > > MWCryptRand class introduced with this release. > > > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=35078 > > I came across this mail and found this link still not viewable. > > > > > A long-standing bug in the wikitext parser (bug 22555) was discovered to > > have > > security implications. In the presence of the popular CharInsert > extension, > > it > > leads to cross-site scripting (XSS). XSS may be possible with other > > extensions > > or perhaps even the MediaWiki core alone, although this is not confirmed > at > > this time. A denial-of-service attack (infinite loop) is also possible > > regardless of configuration. > > > > For more details, see > https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 > > > > ********************************************************************* > > What's new? > > ********************************************************************* > > > > MediaWiki 1.19 brings the usual host of various bugfixes and new > features. > > > > Comprehensive list of what's new is in the release notes. > > > > * Bumped MySQL version requirement to 5.0.2. > > * Disable the partial HTML and MathML rendering options for Math, > > and render as PNG by default. > > * MathML mode was so incomplete most people thought it simply didn't > work. > > * New skins/common/*.css files usable by skins instead of having to copy > > piles of > > generic styles from MonoBook or Vector's css. > > * The default user signature now contains a talk link in addition to the > > user link. > > * Searching blocked usernames in block log is now clearer. > > * Better timezone recognition in user preferences. > > * Extensions can now participate in the extraction of titles from URL > paths. > > * The command-line installer supports various RDBMSes better. > > * The interwiki links table can now be accessed also when the interwiki > > cache > > is used (used in the API and the Interwiki extension). > > > > Internationalization > > - -------------------- > > * More gender support (for instance in user lists). > > * Add languages: Canadian English. > > * Language converter improved, e.g. it now works depending on the page > > content language. > > * Time and number-formatting magic words also now depend on the page > > content language. > > * Bidirectional support further improved after 1.18. > > > > Release notes > > - ------------- > > Full release notes: > > > > https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE > > LEASE-NOTES-1.19;hb=1.19.0beta2 > > https://www.mediawiki.org/wiki/Release_notes/1.19 > > > > Co-inciding with these security releases, the MediaWiki source code > > repository has > > moved from SVN (at > https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3 > ) > > to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the > > relevant > > commits for these releases will not be appearing in our SVN repository. > If > > you use > > SVN checkouts of MediaWiki for version control, you need to migrate these > to > > Git. > > If you up are using tarballs, there should be no change in the process > for > > you. > > > > Please note that any WMF-deployed extensions have also been migrated to > Git > > also, along with some other non WMF-maintained ones. > > > > Please bear with us, some of the Git related links for this release may > not > > work instantly, > > but should later on. > > > > To do a simple Git clone, the command is: > > git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git > > > > More information is available at https://www.mediawiki.org/wiki/Git > > > > For more help, please visit the #mediawiki IRC channel on freenode.net > > irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list > > at [email protected]. > > > > > > ********************************************************************** > > Download: > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz > > > > Patch to previous version (1.19.0beta1), without interface text: > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz > > Interface text changes: > > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc > > h.gz > > > > GPG signatures: > > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si > > g > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz > . > > sig > > > > http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc > > h.gz.sig > > > > Public keys: > > https://secure.wikimedia.org/keys.html > > > > > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
