MediaWiki / News: Recent posts

MediaWiki 1.4.6 is a bug fix and security update release. Incorrect escaping of a parameter in the page move template could be used to inject JavaScript code by getting a victim to visit a maliciously constructed URL. Users of vulnerable releases are recommended to upgrade to this release.

Vulnerable versions:
* 1.5 preview series: n <= 1.5beta2 vulnerable, fixed in 1.5beta3
* 1.4 stable series: 1.4beta6 <= n <= 1.4.5 vulnerable, fixed in 1.4.6
* 1.3 legacy series: not vulnerable... read more

MediaWiki 1.5 beta 2 is a preview release of the new 1.5 release series. While most exciting new bugs should have been ironed out at this point, third-party wiki operators should probably not run this beta release on a public site without closely following additional development.

Anyone who _has_ been running beta 1 is very very strongly advised to upgrade to beta 2, as it fixes many bugs from the previous beta including a couple of HTML and SQL injections.... read more

MediaWiki 1.3.13 is a security maintenance release.

Incorrect handling of page template inclusions made it possible to inject JavaScript code into HTML attributes, which could lead to cross-site scripting attacks on a publicly editable wiki.

Vulnerable releases and fix:
* 1.5 prerelease: fixed in 1.5alpha2
* 1.4 stable series: fixed in 1.4.5
* 1.3 legacy series: fixed in 1.3.13
* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended... read more

MediaWiki 1.4.4 is a bugfix release for the 1.4 stable release series.

Some bugs in the installer/updater and refreshLinks maintenance script were introduced in the last release and have been corrected.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=325088

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.4.4.tar.gz?download
MD5 checksum: 85553d464041e36b85939810d79f5bf4... read more

MediaWiki 1.4.3 is a bugfix release for the 1.4 stable release series.

Chiefly, this fixes a compatibility problem with PHP 5 and a minor link table corruption bug on initial page save.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=323971

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.4.3.tar.gz?download

Before asking for help, try the FAQ:
http://meta.wikimedia.org/wiki/MediaWiki_FAQ ... read more

MediaWiki 1.4.2 is a security and bug fix release for the 1.4 stable release series. A cross-site scripting injection vulnerability was discovered, which affects only MSIE clients and is only open if MediaWiki has been manually configured to run output through HTML Tidy ($wgUseTidy).

Several other bugs are also fixed in 1.4.2.

A 1.3.12 maintenance release is also available with the Tidy
fix only.... read more

MediaWiki 1.4.1 is a bug fix release for the 1.4 stable release series.

All new installations are highly recommended to use 1.4.1 instead of 1.3.x; 1.3.x users should consider upgrading for bug fixes and new features.

1.4.0 and 1.4 beta or release candidate users should upgrade to this release for relevant bug fixes; see the changelog in the release notes.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=321333... read more

MediaWiki 1.4.0 is the first official stable release in the 1.4 series. All new installations are highly recommended to use 1.4.0 instead of 1.3.x; 1.3.x users should consider upgrading for bug fixes and new features.

1.4 beta or release candidate users should upgrade to this release.

See the release notes (link below) for a fuller list of changes from the previous 1.3.x series and installation notes.... read more

A code security audit on MediaWiki has turned up several potentially exploitable bugs. New releases are available in the 1.3 stable and 1.4 beta branches; all users are strongly encouraged to upgrade.

1.4 release candidate 1 includes a number of other bug fixes and localization updates as well.

Release notes and download:
https://sourceforge.net/project/showfiles.php?group_id=34373

MediaWiki 1.4beta5 is a security and bug fix release for the 1.4 beta series. Previous MediaWiki 1.4 beta releases include an input validation error which could lead to execution of arbitrary PHP code on the server.

All users of 1.4 beta releases are strongly urged to upgrade to 1.4beta5 immediately. The 1.3.x stable release series is not affected by this problem.

Beta 5 additionally fixes a number of non-security-related bugs, and requires one minor database change. If upgrading from a previous beta, see the file UPGRADE in the release archive for instructions.... read more

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow. MediaWiki 1.4beta4 is an experimental release, to help flush out remaining major problems in the code prior to a final public 1.4.0 release. It is not recommended to use this beta on a public site unless you're familiar with MediaWiki innards and are willing and able to help diagnose and fix problems that come up.... read more

MediaWiki 1.3.9 is a security and bug fix release.

A flaw in upload handling has been found which may allow upload and execution of arbitrary scripts with the permissions of the web server. Only wikis that have enabled uploads and have a vulnerable Apache configuration will be affected, but to be safe all wikis should upgrade.

Wikis with uploads available should either disable uploads or upgrade to 1.3.9 immediately; if other files are customized and require merging changes, includes/SpecialUpload.php may be replaced individually to add the fix.... read more

MediaWiki 1.4beta2 is an experimental release, to help flush out remaining major problems in the code prior to a final public 1.4.0 release. It is not recommended to use this beta on a public site unless you're familiar with MediaWiki innards and are willing and able to help diagnose and fix problems that come up. All beta1 users should upgrade as soon as possible.

This release fixes separate input validation issues with image gallery rendering and PostgreSQL. Other fixes include Recentchanges in PHP5, whitelist-edit mode, table prefixes, page renaming, and other issues. Additionally, startup time for cached page views is slightly faster.... read more

MediaWiki 1.4beta1 is an experimental release, to help flush out remaining major problems in the code prior to a final public 1.4.0 release. It is not recommended to use this beta on a public site unless you're familiar with MediaWiki innards and are willing and able to help diagnose and fix problems that come up.

Most page views will be significantly faster than in previous versions. Compatibility fixes for PHP5 and "safe mode"; optional table prefix improves sharing with other web apps. New plug-in hooks have been added, including a drop-in skin system. Default preferences can be more easily overridden, and users now have the option to select an alternate user interface language. Image support is improved with photo galleries, optional SVG rasterization, and better scaling of large images on their description pages.... read more

MediaWiki 1.3.8 is a bugfix release. Those running wikis with uploads enabled are strongly recommended to upgrade as this fixes several problems with overwriting previously-uploaded files.

Release notes:
http://sourceforge.net/project/shownotes.php?release_id=282945

Download:
http://prdownloads.sf.net/wikipedia/mediawiki-1.3.8.tar.gz?download

Wiki admin help mailing list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l... read more

MediaWiki 1.3.7 is a security update, which contains a fix for an additional cross-site scripting vulnerability discovered during a code review. All MediaWiki users are strongly urged to upgrade to this latest release.

(Users already running 1.3.6 need copy in only the updated DefaultSettings.php and Title.php. Versions before 1.3.6 are vulnerable to a number of other security bugs, so please upgrade!)... read more

MediaWiki 1.3.6 is a security update, which contains fixes for several cross-site scripting and SQL injection vulnerabilities discovered during a code review. All MediaWiki users are strongly urged to upgrade to this latest release.

Changes from 1.3.5:
* (bug 296) Variables in user interface messages are no longer substituted
at install time, so changes to the site name etc should be easier to make
* (bug 149) Special:Recentchanges "changes from" link preserves limit
* (bug 433) tooltip for "Undelete" tab now labeled correctly
* (bug 439) unclickable "Move" tab no longer displays on protected pages
* (bug 484) graceful deletion of images where the actual file is missing
* (bug 686) fixed [[plural]]s in Catalan localization
* Fixed potential HTML/JavaScript injection attack in the UnicodeConverter
extension. (This extension is not enabled by default.)
* Fixed potential HTML/JavaScript injection attack via raw page views to
a maliciously crafted wiki page.
* (bug 187, bug 669) Fixed centered thumbnails, using <div> instead of
<span>.
* catch MySQL error 2000 during installation.
* (bug 704) Removed misleading LocalSettings.sample
* Fix cross site scripting bugs in SpecialIpblocklist, SpecialEmailuser
* Fix SQL injection and cross site scripting bugs in SpecialMaintenance
* Fix cross site scripting bugs and possible filename validation vulnerability
in ImagePage.
* and more of that sort... read more

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow. MediaWiki 1.3.5 is a security update, which contains a small fix for a potential cross-site scripting vulnerability. All MediaWiki 1.3.x users are strongly encouraged to upgrade to this latest release.... read more

Fixes since 1.3.1:
* Fix namespaced page creation links when no go match
* When cookies are disabled, don't show login screen twice
* Install should no longer die when PHP is pre-configured to compress output
* Fixed bug that caused long Japanese pages to time out with Tidy active
* When session.handler is set incorrectly, try automatic override to 'files'
* Watch/Unwatch links back to the affected page instead of Main Page
* Upload link no longer displayed on Monobook if uploading is disabled
* Special:Allmessages faster, shows correct original text, works in safe mode... read more

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It&apos;s designed to handle a large number of users and pages without imposing too rigid a structure or workflow. MediaWiki 1.3.1 is a bugfix release.

1.3.1 fixes some remaining issues from 1.3.0.

* Watchlist parameters now work with register_globals off
* Fixed parsing of ''italics'' and '''bold''' mark-up (again)
* Special:Allpages display is more sensible on smaller wikis
* Fixed XHTML parsing error in classic skins
* Moved pages update watchlist correctly
* Fixed rebuildall.php on case-sensitive Unix filesystems
* Disabled file cache compression by default due to incompatibility
with output buffer compression (ob_gzhandler)
* New magic word PAGENAMEE (URL-escaped version of PAGENAME)
* Installation avoids blank username; better message on missing
XML module
* $wgWhitelistAccount no longer breaks all logins. ... read more

After an annoyingly long series of beta releases, say hello to MediaWiki 1.3.0! Everyone running the beta releases is _strongly_ recommended to upgrade to the current code. MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It&apos;s designed to handle a large number of users and pages without imposing too rigid a structure or workflow.... read more

This should be the final beta release of MediaWiki 1.3.0; the final final version will be released in a few days after some more bug fixing and polishing up of documentation and installation.

Beta 6 includes a security fix: earlier 1.3.0 beta releases may be vulnerable to a PHP inclusion attack if you have allow_url_fopen and register_globals on (this is the default configuration in PHP 4.1.x, but register_globals is off by default in 4.2.x and later).... read more

Accumulated bug fixes since the last beta. Hopefully this should resolve most major upgrade and installation issues (missing user_real_name field, PEAR error with bad temp dir).MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow. ... read more

MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow.

Some compatibility fixes for PHP 4.1.2 and 4.2.x; installer checks for missing MySQL support; and many various things fixed. Anyone running a public server on 1.3.0beta is strongly recommended to upgrade to this release, as a potential JavaScript injection attack in earlier betas has been fixed. (1.2.x is not vulnerable.)... read more

The installer now tries to enable error reporting and checks for some problem conditions (low memory_limit and lack of PHP's installed-by-default XML module). Hopefully this will solve some install problems and make it easier to diagnose others.

Release notes:
https://sourceforge.net/project/shownotes.php?release_id=245372

Download:
http://prdownloads.sourceforge.net/wikipedia/mediawiki-1.3.0beta3.tar.gz?download... read more