Fedora 26: Important Security Advisory for MediaWiki 1.28.1 Released

MediaWiki is the software used for Wikipedia and the other Wikimedia

Foundation websites. Compared to other wikis, it has an excellent

range of features and support for high-traffic websites using multiple

servers

This package supports wiki farms. Read the instructions for creating wiki

instances under /usr/share/doc/mediawiki/README.RPM.

Remember to remove the config dir after completing the configuration.

https://www.mediawiki.org/wiki/Release_notes/1.28#MediaWiki_1.28.1 Changes

since 1.28.0 * $wgRunJobsAsync is now false by default (T142751). This change

only affects wikis with $wgJobRunRate > 0. * Fix fatal from "WaitConditionLoop"

not being found, experienced when a wiki has more than one database server

setup. * (T152717) Better escaping for PHP mail() command * (T154670) A missing

method causing the MySQL installer to fatal in rare circumstances was restored.

* (T154672) Un-deprecate ArticleAfterFetchContentObject hook. * (T158766) Avoid

SQL error on MSSQL when using selectRowCount() * (T145635) Fix too long index

error when installing with MSSQL * (T156184) $wgRawHtml will no longer apply to

internationalization messages. * (T160519) CACHE_ANYTHING will not be

CACHE_ACCEL if no accelerator is installed. * (T154872) Fix incorrect

ar_usertext_timestamp index names in new 1.28 installs. * (T109140) (T122209)

SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki

links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when

$wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may

now be marked as "sensitive" to keep their values out of the logs. * (T150044)

SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token. *

(T156184) SECURITY: Escape content model/format url parameter in message. *

(T151735) SECURITY: SVG filter evasion using default attribute values in DTD

declaration. * (T161453) SECURITY: LocalisationCache will no longer use the

temporary directory in it's fallback chain when trying to work out where to

write the cache. * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs

inside file inclusion syntax's link parameter.

[ 1 ] Bug #1400170 - mediawiki-1.28.1 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1400170

su -c 'dnf upgrade mediawiki' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org