diff options
| author | Tim Starling <tstarling@users.mediawiki.org> | 2009-02-07 02:54:07 +0000 |
|---|---|---|
| committer | Tim Starling <tstarling@users.mediawiki.org> | 2009-02-07 02:54:07 +0000 |
| commit | 6a6451a5a6f45c120024fbca3456f9155ea58cea (patch) | |
| tree | aa68802b00bb3f4b612604ed6ebc3a7b3bde36dc | |
| parent | 1313f20d661a9366dcc3a3e38ee5d98a9bdfd307 (diff) | |
Updates for release1.13.4
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/46957
| -rw-r--r-- | RELEASE-NOTES | 21 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 19 insertions, 4 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 311ed825e4a3..1071830bbfe3 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -2,11 +2,11 @@ For upgrade instructions please see the UPGRADE file in this directory. -== MediaWiki 1.13.3 == +== MediaWiki 1.13.4 == -December 15, 2008 +February 7, 2009 -This is a security release of the Summer 2008 snapshot release of MediaWiki. +This is a security update to the Summer 2008 snapshot release of MediaWiki. MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept @@ -19,6 +19,21 @@ will be made on the development trunk and appear in the next quarterly release. Those wishing to use the latest code instead of a branch release can obtain it from source control: http://www.mediawiki.org/wiki/Download_from_SVN +== Changes since 1.13.3 == + +A number of cross-site scripting (XSS) security vulnerabilities were discovered +in the web-based installer (config/index.php). These vulnerabilities all +require a live installer -- once the installer has been used to install a wiki, +it is deactivated. + +Note that cross-site scripting vulnerabilities can be used to attack any website +in the same cookie domain. So if you have an uninstalled copy of MediaWiki on +the same site as an active web service, MediaWiki could be used to attack the +active service. + +If you are hosting an old copy of MediaWiki that you have never installed, you +are advised to remove it from the web. + == Changes since 1.13.2 == David Remahl of Apple's Product Security team has identified a number of diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 2fc87e8765a5..877e4ebda704 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -31,7 +31,7 @@ require_once( "$IP/includes/SiteConfiguration.php" ); $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.13.3'; +$wgVersion = '1.13.4'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; |