diff options
Diffstat (limited to 'RELEASE-NOTES')
| -rw-r--r-- | RELEASE-NOTES | 75 |
1 files changed, 68 insertions, 7 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 9ee7bd92..311ed825 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,14 +1,12 @@ = MediaWiki release notes = -Security reminder: MediaWiki does not require PHP's register_globals -setting since version 1.2.0. If you have it on, turn it *off* if you can. +For upgrade instructions please see the UPGRADE file in this directory. -== MediaWiki 1.13.2 == +== MediaWiki 1.13.3 == -October 2, 2008 +December 15, 2008 -This is a security and bugfix release of the Summer 2008 snapshot release of -MediaWiki. +This is a security release of the Summer 2008 snapshot release of MediaWiki. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept @@ -21,6 +19,69 @@ will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN +== Changes since 1.13.2 == + +David Remahl of Apple's Product Security team has identified a number of +security issues in previous releases of MediaWiki. Subsequent analysis by the +MediaWiki development team expanded the scope of these vulnerabilities. The +issues with a significant impact are as follows: + +* An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and + 1.13.2. [CVE-2008-5249] +* A local script injection vulnerability affecting Internet Explorer clients for + all MediaWiki installations with uploads enabled. [CVE-2008-5250] +* A local script injection vulnerability affecting clients with SVG scripting + capability (such as Firefox 1.5+), for all MediaWiki installations with SVG + uploads enabled. [CVE-2008-5250] +* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki + installations since the feature was introduced in 1.3.0. [CVE-2008-5252] + +XSS (cross-site scripting) vulnerabilities allow an attacker to steal an +authorised user's login session, and to act as that user on the wiki. The +authorised user must visit a web page controlled by the attacker in order to +activate the attack. Intranet wikis are vulnerable if the attacker can +determine the intranet URL. + +Local script injection vulnerabilities are like XSS vulnerabilities, except +that the attacker must have an account on the local wiki, and there is no +external site involved. The attacker uploads a script to the wiki, which another +user is tricked into executing, with the effect that the attacker is able to act +as the privileged user. + +CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki, +but unlike an XSS vulnerability, the attacker can only act as the user in a +specific and restricted way. The present CSRF vulnerability allows pages to be +edited, with forged revision histories. Like an XSS vulnerability, the +authorised user must visit the malicious web page to activate the attack. + +These four vulnerabilities are all fixed in this release. + +David Remahl also reminded us of some security-related configuration issues: + +* By default, MediaWiki stores a backup of deleted images in the images/deleted + directory. If you do not want these images to be publically accessible, make + sure this directory is not accessible from the web. MediaWiki takes some steps + to avoid leaking these images, but these measures are not perfect. +* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal + errors. This is the default on most shared web hosts. +* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may + lead to path disclosure. + +Other changes in this release: + +* Avoid fatal error in profileinfo.php when not configured. +* Add a .htaccess to deleted images directory for additional protection against + exposure of deleted files with known SHA-1 hashes on default installations. +* Avoid streaming uploaded files to the user via index.php. This allows + security-conscious users to serve uploaded files via a different domain, and + thus client-side scripts executed from that domain cannot access the login + cookies. Affects Special:Undelete, img_auth.php and thumb.php. +* When streaming files via index.php, use the MIME type detected from the + file extension, not from the data. This reduces the XSS attack surface. +* Blacklist redirects via Special:Filepath. Such redirects exacerbate any + XSS vulnerabilities involving uploads of files containing scripts. +* Internationalisation updates. + == Changes since 1.13.1 == * Security: Work around misconfiguration by requiring strict comparisons for @@ -31,7 +92,7 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Localisation updates * Security: Fixed XSS vulnerability in useskin parameter. -== Changes since 1.13.0 +== Changes since 1.13.0 == * (bug 15460) Fixed intermittent deadlock errors and poor concurrent performance for installations without memcached. |