[MediaWiki-announce] MediaWiki 1.11.2 released (security)

[MediaWiki-announce] MediaWiki 1.11.2 released (security)

Brion Vibber brion at wikimedia.org
Mon Mar 3 07:20:45 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MediaWiki 1.11.2 is a security release of the Fall 2007 snapshot release
of MediaWiki. Possible cross-site information leaks using the callback
parameter for JSON-formatted results in the API are prevented by
dropping user credentials.

MediaWiki release versions prior to 1.11 are not vulnerable, as they do
not include the callback feature which allows client-side JavaScript on
other sites to reach API data.

Changes in this release:

* User credentials are dropped for API JSON requests using a callback
* Edit tokens are not reported for API JSON requests using a callback


Full release notes:
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_2/phase3/RELEASE-NOTES


Download:
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch


GPG signatures:
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.tar.gz.sig
http://download.wikimedia.org/mediawiki/1.11/mediawiki-1.11.2.patch.sig


SHA-1 checksums:
c5d5e99d73e646cff421b3bb92dd638fb93cd575 mediawiki-1.11.2.tar.gz
ce13da8071c4618deda28cf6e8c2eea110d258ef mediawiki-1.11.2.patch


MD-5 checksums:
MD5 (mediawiki-1.11.2.tar.gz) = 12e81f27a37b15b9d1ed110d6f48b35f
MD5 (mediawiki-1.11.2.patch) = 7cac126c2bdda3b32160da8faab246b4


Before asking for help, try the FAQ:
http://www.mediawiki.org/wiki/Manual:FAQ

Low-traffic release announcements mailing list:
(Please subscribe to receive announcements of security updates.)
http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

Wiki admin help mailing list:
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Bug report system:
http://bugzilla.wikimedia.org/

Play "stump the developers" live on IRC:
#mediawiki on irc.freenode.net

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfLps0ACgkQwRnhpk1wk46ZLgCfa1/wygI6y3ncmGiLW/AUqFku
YWEAoMTCedybr2GHmz7zldVk894rg8wL
=s6Xl
-----END PGP SIGNATURE-----



More information about the MediaWiki-announce mailing list