summaryrefslogtreecommitdiff
path: root/RELEASE-NOTES
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2007-02-21 07:27:15 +0000
committerPierre Schmitz <pierre@archlinux.de>2007-02-21 07:27:15 +0000
commit9ea05545197378466dc3ceee0f55bcd5819264cb (patch)
treedf8f9df6024e0ecd35769152027fb5f6f1dee8e1 /RELEASE-NOTES
parentc39aeb62f7e8dfb6ba6467beb2d9d6f97fd84959 (diff)
Aktualisierung auf MediaWiki 1.9.3
Diffstat (limited to 'RELEASE-NOTES')
-rw-r--r--RELEASE-NOTES37
1 files changed, 37 insertions, 0 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 77ae6c5f..472409da 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,43 @@
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.9.3 ==
+
+February 20, 2007
+
+This is a security and bug-fix update to the Winter 2007 quarterly release.
+Minor compatibility fixes for IIS and PostgreSQL are included.
+
+An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
+charset autodetection was located in the AJAX support module, affecting MSIE
+users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
+enabled.
+
+If you are using an extension based on the optional Ajax module,
+either disable it or upgrade to a version containing the fix:
+
+* 1.9: fixed in 1.9.3
+* 1.8: fixed in 1.8.4
+* 1.7: fixed in 1.7.3
+* 1.6: fixed in 1.6.10
+
+There is no known danger in the default configuration, with $wgUseAjax off.
+
+* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
+* (bug 8984) Fix a database error in Special:Recentchangeslinked
+ when using the PostgreSQL database.
+* Add 'charset' to Content-Type headers on various HTTP error responses
+ to forestall additional UTF-7-autodetect XSS issues. PHP sends only
+ 'text/html' by default when the script didn't specify more details,
+ which some inconsiderate browsers consider a license to autodetect
+ the deadly, hard-to-escape UTF-7.
+ This fixes an issue with the Ajax interface error message on MSIE when
+ $wgUseAjax is enabled (not default configuration); this UTF-7 variant
+ on a previously fixed attack vector was discovered by Moshe BA from BugSec:
+ http://www.bugsec.com/articles.php?Security=24
+* Trackback responses now specify XML content type
+
+
== MediaWiki 1.9.2 ==
February 4, 2007