MediaWiki News

Please note that MediaWiki's SourceForge project has been inactive since 2007, as we've moved our development to our own hosting.

See http://www.mediawiki.org/wiki/Download for all current MediaWiki downloads.

February 20, 2007

MediaWiki 1.9.3 is a security and bug-fix update to the Winter 2007
quarterly release. Minor compatibility fixes for IIS and PostgreSQL are
included.

An XSS injection vulnerability based on Microsoft Internet Explorer's
UTF-7 charset autodetection was located in the AJAX support module,
affecting MSIE users on MediaWiki 1.6.x and up when the optional setting
$wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module,
either disable it or upgrade to a version containing the fix:... read more

January 24, 2007

This is a bug-fix update that fixes some installation and upgrade issues
with the original 1.9.0 release.

* (bug 3000) Fall back to SCRIPT_NAME plus QUERY_STRING when REQUEST_URI
is not available, as on IIS with PHP-CGI
* Security fix for DjVu images. (Only affects servers where .djvu file
uploads are enabled and $wgDjvuToXML is set.)
* (bug 8638) Fix update from 1.4 and earlier
* (bug 8641) Fix order of updates to ipblocks table for updates from <=1.7
* (bug 8673) Minor fix for web service API content-type header
* Fix API revision list on PHP 5.2.1; bad reference assignment
* Fixed up the AjaxSearch
* Exclude settings files when generating documentation. That could
expose the database user and password to remote users.
* ar: fix the 'create a new page' on search page when no exact match found
* Correct tooltip accesskey hint for Opera on the Macintosh (uses
Shift-Esc-, not Ctrl-).
* (bug 8719) Firefox release notes lie! Fix tooltips for Firefox 2 on
x11; accesskeys default settings appear to be same as Windows.... read more

This is the quarterly release snapshot for Winter 2007. While the code has been running on Wikipedia for some time, installation and upgrade bits may be less well tested. Bug fix releases may follow in the coming days or weeks.

An XSS injection vulnerability was located in the AJAX support module, affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.0rc2
* 1.8: fixed in 1.8.3
* 1.7: fixed in 1.7.2
* 1.6: fixed in 1.6.9... read more

MediaWiki 1.8.2 fixes several issues in the Fall 2006 snapshot release:

* (bug 7565) Fixed typos in German localisation
* (bug 7562) Fix non-ASCII namespaces on Windows/XAMPP servers

This is the quarterly release snapshot for Fall 2006. While the code has been running on Wikipedia for some time, installation and upgrade bits may be less well tested. Bug fix releases may follow in the coming days or weeks.

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow.

New Bugfix/security releases for Summer (1.7) and Spring (1.6) 2006 snapshot branches.

A potential HTML injection with some vulnerable versions of PHP in a debugging script has been fixed.... read more

MediaWiki 1.6.7 is a security and bugfix maintenance release of the
Spring 2006 snapshot:

An HTML/JavaScript-injection vulnerability in the edit form has been closed.
This vulnerability was new in 1.6.0; MediaWiki versions 1.5.x or earlier are
not affected.

Extensions, comments, and <nowiki> sections are now handled in a one-pass
way which is more reliable and safer. Under earlier versions of MediaWiki,
certain extensions could be abused to inject HTML/JavaScript into the page.... read more

A buggy bug fix was rolled back from 1.6.4.

Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_5/phase3/RELEASE-NOTES
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_5/phase3/HISTORY

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.6.5.tar.gz

MediaWiki 1.6.4 is a maintenance bug fix release, which rolls up some fixes to additional minor problems and localization updates to the Spring 2006 quarterly snapshot.

Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_4/phase3/RELEASE-NOTES
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_4/phase3/HISTORY

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.6.4.tar.gz

MediaWiki 1.6.3 makes some additional fixes to the spring 2006 release branch.

Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_3/phase3/RELEASE-NOTES
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_3/phase3/HISTORY

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.6.3.tar.gz

MediaWiki 1.6.2 makes some additional fixes to the spring 2006 release branch:

* Further improvements to Hebrew localisation
* Fix 'copyright' message for Romanian
* (bug 5476) Invalid xhtml in German localization
* (bug 5479) Id translation for preferences tabs caption
* (bug 5493) Id translation for special pages
* Additional path fixes in the updater
* (bug 5344) Fix regression that broke slashes in extension tag parameters... read more

Some minor issues in the 1.6.0 release have been corrected.

Full release notes:
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_1/phase3/RELEASE-NOTES
http://svn.wikimedia.org/viewvc/mediawiki/tags/REL1_6_1/phase3/HISTORY

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.6.1.tar.gz

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development happen
will be made on the development trunk and appear in the next quarterly release.... read more

MediaWiki 1.5.8 and 1.4.15 are security and bugfix maintenance releases.

A bug in decoding of certain encoded links could allow injection of raw HTML into page output; this could potentially lead to XSS attacks.

MediaWiki 1.5.7 is a bugfix maintenance release.

Most importantly, a security issue in the installer has been fixed. The bug affects new installations of 1.5.6 only. If the user specified the MySQL root password, to allow the installer to create an unprivileged account, the installer would not only create the new account but also change the root password to be equal to the password of the new account. ... read more

MediaWiki 1.5.6 and 1.4.14 are security and bugfix maintenance releases.

A bug in edit comment formatting could send PHP into an infinite loop if certain malformed links were included. In most installations, this would cause the script to fail after PHP's 30-second failsafe timeout.

Release notes:
1.5.6: http://sourceforge.net/project/shownotes.php?release_id=386609
1.4.14: http://sourceforge.net/project/shownotes.php?release_id=386608... read more

MediaWiki 1.5.5 and 1.4.13 are a security and bugfix maintenance releases.

Detection for uploads of Windows Metafile (.wmf) images has been added to help
protect against a client-side vulnerability in unpatched Microsoft Windows
operating systems.

Sites which have enabled uploads and added non-standard file types (such as
.ogg, .doc, or .pdf) should upgrade to this release to ensure that malicious
.wmf files can't be uploaded with a fake extension; such files could put
visitors to the site at risk.... read more

MediaWiki 1.5.4 is a bugfix and security update. This release fixes some potential JavaScript injections on Internet Explorer, and corrects clearing of the "new messages" flag for some users with e-mail notification enabled.

New MediaWiki releases fix problems with PHP 4.4.1.

1.5.2 also fixes some issues with MySQL 5.0, PHP 5.0.5, and PHP 5.1.0RC.

1.4.12 and 1.3.18 include additional fixes to protected against an Internet Explorer JavaScript injection flaw. (An equivalent fix was already in 1.5.1.)

MediaWiki 1.5.1 is a bugfix and security maintenance release, and is a recommended upgrade for all installations.

Major fixes include:
* More XSS fixes for Internet Explorer CSS+JavaScript injection
* Image pages work again with resizing disabled
* Works in MySQL 5.0 strict mode
* Experimental support for MySQL 4.1/5.0 UTF-8 charset declaration

The new stable release of MediaWiki is 1.5.0, featuring a new more efficient database schema, better upload handling, and many exciting features.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=361506

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.5.0.tar.gz?download

MD5 checksum:
mediawiki-1.5.0.tar.gz b431e82ee5fd0d619d17cb2d417387c3

Security updates have been released as MediaWiki 1.4.11 and 1.3.17. This release prevents exploitation of unsafe CSS handling in Microsoft Internet Explorer for possible cross-site-scripting attacks.

Anyone running older versions of 1.4 and 1.3 MediaWiki should be sure to upgrade -- there's a data corruption bug in older versions (fixed in 1.4.10/1.3.16) which is triggered by a spambot known to be active in the wild.

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow. MediaWiki 1.4.7 is a bug fix release.

Those affected by the following problems in 1.4.6 should upgrade:

* Watchlist breakage on MySQL 3.23.x and with table prefix enabled
* Possible breakage in watchlist, some image resizing modes on PHP 4.1.2... read more