Release notes/1.4

From MediaWiki.org

Jump to: navigation, search

Contents

[edit] MediaWiki 1.4.x (Legacy Releases)

MediaWiki Stable Releases 1.4.x

Security No one should install these on new wikis – security updates for older wikis only.

[edit] 1.4.15

Released on 2006-03-26.

MediaWiki 1.4.15 is a security maintenance release.

A bug in decoding of certain encoded links could allow injection of raw HTML into page output; this could potentially lead to XSS attacks. Additionally, this release may display more correctly in IE7 betas.

[edit] 1.4.14

Released on 2006-01-19.

MediaWiki 1.4.14 is a security and bugfix maintenance release.

A bug in edit comment formatting could send PHP into an infinite loop if certain malformed links were included. In most installations, this would cause the script to fail after PHP's 30-second failsafe timeout.

[edit] 1.4.13

Released on 2006-01-05.

MediaWiki 1.4.13 is a security and bugfix maintenance release.

[edit] 1.4.12

Released on 2005-11-02.

MediaWiki 1.4.12 is a bugfix and security maintenance release.

Additional Notes:

  • A change in PHP 4.4.1 broke handling of extension and <pre> sections, causing garbage data to be inserted in output and saved edits. This version works around the change.
  • This release includes further corrections to the inline CSS style sanitation which works around a JavaScript "feature" on Microsoft Internet Explorer. Users of Microsoft Internet Explorer for Windows may be vulnerable to XSS injections on prior 1.4 releases; users of standards-compliant browsers are not vulnerable.
  • All publicly accessible wikis are recommended to upgrade to reduce the risk to visitors using Microsoft web browsers.

[edit] 1.4.11

Released on 2005-10-05.

MediaWiki 1.4.11 is a security maintenance release.

Additional Notes:

  • Unsafe handling of CSS by Microsoft Internet Explorer could be exploited to produce cross-site scripting attacks by JavaScript injection to clients running that browser.
  • This release blacklists several additional variants from use in HTML inline style attributes.
  • All publicly accessible wikis are recommended to upgrade to reduce the risk to visitors using Microsoft web browsers.

[edit] 1.4.10

Released on 2005-09-21.

MediaWiki 1.4.10 is a security maintenance release. Additional Notes:

  • A bug in edit submission handling could cause corruption of the previous revision in the database if an abnormal URL was used, such as those used by some spambots.
  • Affected releases:
    -1.4.x <= 1.4.9; fixed in 1.4.10
    -1.3.x <= 1.3.15; fixed in 1.3.16
  • 1.5 release candidates are not affected by this problem.

All publicly editable wikis are strongly recommended to upgrade immediately.

1.4 releases can be manually patched by changing this bit in EditPage.php:

function importFormData( &$request ) {
if( $request->wasPosted() ) {
to:
function importFormData( &$request ) {
if( $request->getVal( 'action' ) == 'submit' && $request->wasPosted() ) {

[edit] 1.4.9

Released on 2005-08-29.

MediaWiki 1.4.9 is a security maintenance release.

  • See the full release notes.
  • It corrects two cross-site scripting security bugs:
    • <math> tags were handled incorrectly when TeX rendering support is off, as in the default configuration.
    • Extension or <nowiki> sections in Wiki table syntax could bypass HTML style attribute restrictions for cross-site scripting attacks against Microsoft Internet Explorer

[edit] 1.4.8

Released on 2005-08-23.

MediaWiki 1.4.8 is a bug fix and security maintenance release.

  • A flaw in the interaction between extensions and HTML attribute sanitization was discovered which could allow unauthorized use of offsite resources in style sheets, and possible exploitation of a JavaScript injection feature on Microsoft Internet Explorer.
  • This version expands the returned text and properly checks it before output.
  • Additionally, an update to skins/MonoBook.php ensures that sites using the default MonoBook skin will display correctly in the Internet Explorer 7 beta. (1.3 and 1.5 are not affected by this bug.)

[edit] 1.4.7

Released on 2005-07-16.

MediaWiki 1.4.7 is a stable series bugfix release.

Additional Notes:

  • Those affected by the following problems in 1.4.6 should upgrade:
    • Watchlist breakage on MySQL 3.23.x and with table prefix enabled
    • Possible breakage in watchlist, some image resizing modes on PHP 4.1.2
  • 1.4.6 included a fix for a cross-site scripting vulnerability, so anyone running older 1.4 releases is very strongly encouraged to upgrade as well.

Note to upgraders: current versions of MediaWiki are known to produce a large number of notice-level warnings under the newly released PHP 4.4.0. These appear however to be harmless; if you encounter them add error_reporting( E_ALL & ~E_NOTICE ); to your LocalSettings.php to suppress the notices.

  • PHP 5.1.0 beta 3 is known to be incompatible at this time.
  • MySQL 3.23.x and table prefix compatibility fix: restore old watchlist code (MediaZilla:2747, MediaZilla:2755)
  • PHP 4.1.2 compatibility fix: define floatval() equivalent if missing

[edit] 1.4.6

Released on 2005-07-07.

MediaWiki 1.4.6 is a stable series security and bugfix release. For details of this and all earlier releases, please see the old main page at wikipedia.sourceforge.net.

[edit] 1.4.5

[edit] 1.4.4

[edit] 1.4.3

[edit] 1.4.2

[edit] 1.4.1

[edit] 1.4.0

Retrieved from "http://www.mediawiki.org/wiki/Release_notes/1.4"