1.8.2 marked unstable 1.6.8 and 1.7.1 are stable versions 1.5.8 and 1.4.15 have been removed from the tree but that feature was NOT present and should not be affected (to be verified / audited) =============================================== Corrected versions are ready to go and are available less than 5 seconds after committing this bug. =============================================== An XSS injection vulnerability was located in the AJAX support module, affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. There is no danger in the default configuration, with $wgUseAjax off. If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix: * 1.9: fixed in 1.9.0rc2 * 1.8: fixed in 1.8.3 * 1.7: fixed in 1.7.2 * 1.6: fixed in 1.6.9 Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_0RC2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_8_3/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_7_2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_6_9/phase3/RELEASE-NOTES Download: http://sourceforge.net/project/showfiles.php?group_id=34373 MD5 checksums: 747d79037d3b90494d7e8b956a6bb9a0 mediawiki-1.9.0rc2.tar.gz 9ef825abfcf0888b22571bbb097480f0 mediawiki-1.8.3.tar.gz ef33231cb1689dc813f4b08e955f4b18 mediawiki-1.7.2.tar.gz 1ce42061b5f7ea6e4101826b969d2ee4 mediawiki-1.6.9.tar.gz SHA-1 checksums: 1451e8a8a10f41e517c12ede266dd1a5a743d8fe mediawiki-1.9.0rc2.tar.gz fa4daa4376b80f61be5925e6172daa76938d9bad mediawiki-1.8.3.tar.gz f63468ce745bbda6d42f66fc64c713b4fd000ef2 mediawiki-1.7.2.tar.gz a00bcc6b306a92234da0c2cd3d564869a15045a0 mediawiki-1.6.9.tar.gz
I know of at least 2 users having this feature turned on.
thx, this is already public -> removing restriction. rating as C4, but i'm not sure about this rating. reopen bug or comment here if you disagree. C4 does not require a GLSA and since all arches seem stable, we are done here. Thanks
*** Bug 161167 has been marked as a duplicate of this bug. ***
*** Bug 162741 has been marked as a duplicate of this bug. ***