| Index: branches/REL1_14/phase3/HISTORY |
| — | — | @@ -1,8 +1,116 @@ |
| 2 | 2 | Change notes from older releases. For current info see RELEASE-NOTES. |
| 3 | 3 | |
| | 4 | +== Changes since 1.13.2 == |
| 4 | 5 | |
| 5 | | -== MediaWiki 1.13 == |
| | 6 | +David Remahl of Apple's Product Security team has identified a number of |
| | 7 | +security issues in previous releases of MediaWiki. Subsequent analysis by the |
| | 8 | +MediaWiki development team expanded the scope of these vulnerabilities. The |
| | 9 | +issues with a significant impact are as follows: |
| 6 | 10 | |
| | 11 | +* An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and |
| | 12 | + 1.13.2. [CVE-2008-5249] |
| | 13 | +* A local script injection vulnerability affecting Internet Explorer clients for |
| | 14 | + all MediaWiki installations with uploads enabled. [CVE-2008-5250] |
| | 15 | +* A local script injection vulnerability affecting clients with SVG scripting |
| | 16 | + capability (such as Firefox 1.5+), for all MediaWiki installations with SVG |
| | 17 | + uploads enabled. [CVE-2008-5250] |
| | 18 | +* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki |
| | 19 | + installations since the feature was introduced in 1.3.0. [CVE-2008-5252] |
| | 20 | + |
| | 21 | +XSS (cross-site scripting) vulnerabilities allow an attacker to steal an |
| | 22 | +authorised user's login session, and to act as that user on the wiki. The |
| | 23 | +authorised user must visit a web page controlled by the attacker in order to |
| | 24 | +activate the attack. Intranet wikis are vulnerable if the attacker can |
| | 25 | +determine the intranet URL. |
| | 26 | + |
| | 27 | +Local script injection vulnerabilities are like XSS vulnerabilities, except |
| | 28 | +that the attacker must have an account on the local wiki, and there is no |
| | 29 | +external site involved. The attacker uploads a script to the wiki, which another |
| | 30 | +user is tricked into executing, with the effect that the attacker is able to act |
| | 31 | +as the privileged user. |
| | 32 | + |
| | 33 | +CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, |
| | 34 | +but unlike an XSS vulnerability, the attacker can only act as the user in a |
| | 35 | +specific and restricted way. The present CSRF vulnerability allows pages to be |
| | 36 | +edited, with forged revision histories. Like an XSS vulnerability, the |
| | 37 | +authorised user must visit the malicious web page to activate the attack. |
| | 38 | + |
| | 39 | +These four vulnerabilities are all fixed in this release. |
| | 40 | + |
| | 41 | +David Remahl also reminded us of some security-related configuration issues: |
| | 42 | + |
| | 43 | +* By default, MediaWiki stores a backup of deleted images in the images/deleted |
| | 44 | + directory. If you do not want these images to be publically accessible, make |
| | 45 | + sure this directory is not accessible from the web. MediaWiki takes some steps |
| | 46 | + to avoid leaking these images, but these measures are not perfect. |
| | 47 | +* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal |
| | 48 | + errors. This is the default on most shared web hosts. |
| | 49 | +* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may |
| | 50 | + lead to path disclosure. |
| | 51 | + |
| | 52 | +Other changes in this release: |
| | 53 | + |
| | 54 | +* Avoid fatal error in profileinfo.php when not configured. |
| | 55 | +* Add a .htaccess to deleted images directory for additional protection against |
| | 56 | + exposure of deleted files with known SHA-1 hashes on default installations. |
| | 57 | +* Avoid streaming uploaded files to the user via index.php. This allows |
| | 58 | + security-conscious users to serve uploaded files via a different domain, and |
| | 59 | + thus client-side scripts executed from that domain cannot access the login |
| | 60 | + cookies. Affects Special:Undelete, img_auth.php and thumb.php. |
| | 61 | +* When streaming files via index.php, use the MIME type detected from the |
| | 62 | + file extension, not from the data. This reduces the XSS attack surface. |
| | 63 | +* Blacklist redirects via Special:Filepath. Such redirects exacerbate any |
| | 64 | + XSS vulnerabilities involving uploads of files containing scripts. |
| | 65 | +* Internationalisation updates. |
| | 66 | + |
| | 67 | +== Changes since 1.13.1 == |
| | 68 | + |
| | 69 | +* Security: Work around misconfiguration by requiring strict comparisons for |
| | 70 | + in_array in User::isAllowed(). |
| | 71 | +* (bug 14944) Added $wgShellLocale for configuration of an appropriate locale |
| | 72 | + to use for LC_CTYPE during shell invocation. For servers that don't have |
| | 73 | + en_US.utf8. Also added locale detection during install. |
| | 74 | +* Localisation updates |
| | 75 | +* Security: Fixed XSS vulnerability in useskin parameter. |
| | 76 | + |
| | 77 | +== Changes since 1.13.0 == |
| | 78 | + |
| | 79 | +* (bug 15460) Fixed intermittent deadlock errors and poor concurrent |
| | 80 | + performance for installations without memcached. |
| | 81 | +* (bug 13770) Fixed DOM module detection for installations with both dom |
| | 82 | + and domxml. |
| | 83 | +* (bug 15148) Fixed Special:BlockIP for PostgreSQL |
| | 84 | +* Fixed SQLite support for non-memcached installations |
| | 85 | +* Localisation updates, Achinese (ace) added. |
| | 86 | + |
| | 87 | +== Changes since 1.13.0rc2 == |
| | 88 | + |
| | 89 | +* (bug 13770) Fixed incorrect detection of PHP's DOM module |
| | 90 | +* Fix regression from r37834: accesskey tooltip hint should be given for the |
| | 91 | + minor edit and watch labels on the edit page. |
| | 92 | +* Updated Chinese simplified/traditional conversion tables |
| | 93 | + |
| | 94 | +== Changes since 1.13.0rc1 == |
| | 95 | + |
| | 96 | +* $wgForwardSearchUrl has been removed entirely. Documented setting since 1.4 |
| | 97 | + has been $wgSearchForwardUrl. |
| | 98 | +* (bug 14907) DatabasePostgres::fieldType now defined. |
| | 99 | +* (bug 14966) Fix SearchEngineDummy class for silently non-functional search |
| | 100 | + on Sqlite instead of horribly fatal error breaky one. |
| | 101 | +* (bug 14987) Only fix double redirects on page move when the checkbox is |
| | 102 | + checked |
| | 103 | +* (bug 13376) Use $wgPasswordSender, not $wgEmergencyContact, as return |
| | 104 | + address for page update notification mails. |
| | 105 | +* API: Registration time of users registered before the DB field was created is now |
| | 106 | + shown as empty instead of the current time. |
| | 107 | +* (bug 14904): fragments were lost when redirects were fixed. |
| | 108 | +* Added magic word __STATICREDIRECT__ to suppress the redirect fixer |
| | 109 | +* (bug 15035) Revert English linkTrail to /^([a-z]+)(.*)$/sD, as it was before |
| | 110 | + r36253. Multiple reports of breakage due to old (pre-5.0) PCRE libraries, |
| | 111 | + both bundled with PHP and packaged with distros such as RHEL. |
| | 112 | +* (bug 14944) Shell invocation of external programs such as ImageMagick convert |
| | 113 | + was broken in PHP 5.2.6, if the server had a non-UTF-8 locale. |
| | 114 | + |
| 7 | 115 | === Configuration changes in 1.13 === |
| 8 | 116 | |
| 9 | 117 | * New option $wgFeed can be set false to turn off syndication feeds |
| Index: branches/REL1_14/phase3/includes/DefaultSettings.php |
| — | — | @@ -33,7 +33,7 @@ |
| 34 | 34 | } |
| 35 | 35 | |
| 36 | 36 | /** MediaWiki version number */ |
| 37 | | -$wgVersion = '1.14alpha'; |
| | 37 | +$wgVersion = '1.14rc1'; |
| 38 | 38 | |
| 39 | 39 | /** Name of the site. It must be changed in LocalSettings.php */ |
| 40 | 40 | $wgSitename = 'MediaWiki'; |
| Index: branches/REL1_14/phase3/RELEASE-NOTES |
| — | — | @@ -5,7 +5,7 @@ |
| 6 | 6 | |
| 7 | 7 | == MediaWiki 1.14 == |
| 8 | 8 | |
| 9 | | -THIS IS NOT A RELEASE YET |
| | 9 | +This is a release candidate for the 2008 Q1 branch of MediaWiki. |
| 10 | 10 | |
| 11 | 11 | MediaWiki is now using a "continuous integration" development model with |
| 12 | 12 | quarterly snapshot releases. The latest development code is always kept |