Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [MediaWiki-announce] MediaWiki security release 1.16.1

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [MediaWiki-announce] MediaWiki security release 1.16.1


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Tim Starling <tstarling AT wikimedia.org>
  • To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org, wikitech-l AT lists.wikimedia.org
  • Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki security release 1.16.1
  • Date: Tue, 04 Jan 2011 17:55:48 +1100
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Openpgp: id=BF976370

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.1, which is a
security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no
protection against "clickjacking". With user or site JavaScript or CSS
enabled, clickjacking can lead to cross-site scripting (XSS), and thus
full compromise of the wiki account of any user who visits a malicious
external site. Clickjacking affects all previous versions of MediaWiki.

Our fix involves denying framing on all pages except normal page views
and a few selected special pages. To be protected, all users need to
use a browser which supports X-Frame-Options. For information about
supported browsers, see:

<https://developer.mozilla.org/en/the_x-frame-options_response_header>

For more information about this vulnerability and the related patch, see:

<https://bugzilla.wikimedia.org/show_bug.cgi?id=26561>

Other changes in MediaWiki 1.16.1:

* (bug 24981) Allow extensions to access SpecialUpload variables again
* (bug 24724) list=allusers was out by 1 (shows total users - 1)
* (bug 24166) Fixed API error when using rvprop=tags
* For wikis using French as a content language, Special:Téléchargement
works again as an alias for Special:Upload.
* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in
1.16.0)
* (bug 25248) Fixed paraminfo errors in certain API modules.
* The installer now has improved handling for situations where
safe_mode is active or exec() and similar functions are disabled.
* (bug 19593) Specifying --server in now works for all maintenance
scripts.
* Fixed $wgLicenseTerms register globals.

Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_1/phase3/RELEASE-NOTES

**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz

Patch to previous version (1.16.0), without interface text:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz

GPG signatures:
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.1.patch.gz.sig
http://download.wikimedia.org/mediawiki/1.16/mediawiki-i18n-1.16.1.patch.gz.sig

Public keys:
https://secure.wikimedia.org/keys.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0ixHAACgkQgkA+Wfn4zXmOcgCePqvDrlaw1FZLbtOfx/3tEIID
GQkAn3eSSdTbBCOqXLvXNiG4Vm0kXl7r
=haR1
-----END PGP SIGNATURE-----


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

  • [IT-SecNots] [MediaWiki-announce] MediaWiki security release 1.16.1, Tim Starling, 04.01.2011

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang