Brion Vibber | 24 Aug 00:59 2005
Picon

MediaWiki 1.3.14, 1.4.8, 1.5rc1 released [SECURITY]


MediaWiki 1.5rc1 is a preview release of the new 1.5 release series.
Numerous bug fixes since last beta, plus a security fix; see change
log in the release notes for full details.

A flaw in the interaction between extensions and HTML attribute
sanitization was discovered which could allow unauthorized use
of offsite resources in style sheets, and possible exploitation
of a JavaScript injection feature on Microsoft Internet Explorer.

This version expands the returned text and properly checks it
before output.

MediaWiki 1.4.8 is a bug fix and security maintenance release. It fixes
the above bug, plus an update to skins/MonoBook.php ensures that sites
using the default MonoBook skin will display correctly in the Internet
Explorer 7 beta. (1.3 and 1.5 are not affected by this display problem.)

MediaWiki 1.3.14 is a security maintenance release.

The 1.3.x series is no longer maintained except for security fixes;
new users and those seeking bug fixes should upgrade to 1.4.8 or 1.5rc1.
Existing 1.3.x installations not willing to upgrade to the current
stable relase should apply the change manually; details are in the
release notes.

If you are actively using extensions to generate HTML attribute values,
upgrade to 1.4 or 1.5 for a full fix; 1.3.14 simply disables any attempt
to use such.

(Continue reading)


Gmane