Software update: MediaWiki 1.15.2

MediaWiki is a wiki engine that is licensed under the gpl and can be used to create and manage content. The engine is used, among other things, for the websites of Wikimedia Foundation, including Wikipedia and Wiktionary. The appearance of MediaWiki can be completely customized using skins. on this page are some examples of skins. The developers have released a new version of the wiki engine, with version number 1.15.2. The corresponding announcement looks like this:

MediaWiki security update: 1.15.2

This is a security and bugfix release of MediaWiki 1.15.2.

Two security issues were discovered:

A CSS validation issue was discovered which allows editors to display external images in wiki pages. This is a privacy concern on public wikis, since a malicious user may link to an image on a server they control, which would allow that attacker to gather IP addresses and other information from users of the public wiki. All sites running publicly-editable MediaWiki installations are advised to upgrade. All versions of MediaWiki (prior to this one) are affected.

A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. All versions of MediaWiki since 1.5 are affected.

Deleting thumb.php is a suitable workaround for private wikis which do not use $wgThumbnailScriptPath or $wgLocalRepo[‘thumbScriptUrl’]. Alternatively, you can upgrade to MediaWiki 1.15.2 or backport the patch below to whatever version of MediaWiki you are using.

MediaWiki is not compatible with PHP 5.3.1 due to a bug in that release, which is fixed in PHP 5.3.2. This release of MediaWiki will refuse to upgrade if an affected version of PHP is present. Note that local or distribution-specific backports of the PHP bug fix are supported. See http://bugs.php.net/50394 for details.

Full release notes: http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES