MediaWiki 1.24.1
17 December 2014
MediaWiki version 1.24.1 is now available (security release).
Upgrading to MediaWiki 1.24.1
MediaWiki 1.24.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.24.1 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.24.1
This is a regular security and maintenance release.
Security fixes
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
- (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
Bugfixes
- (bug T74222) The original patch for T74222 was reverted as unnecessary.
- Fixed a couple of entries in RELEASE-NOTES-1.24.
- (bug T76168) OutputPage: Add accessors for some protected properties.
- (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
- Add missing $ in front of variable in OutputPage.php
Security fixes in extensions
- (bug T77624) [SECURITY] Extension:Listings: missing validation in the 'name' and 'url' parameters.
- (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input as wikitext and shows a preview, yet it fails to add an edit token to the form and check it. This can be exploited as an XSS when $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
- (bug T76195) [SECURITY] Extension:TemplateSandbox: Special:TemplateSandbox needs edit token when raw HTML is allowed
- (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
- (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin leakage of data from a wiki through timing
- (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 library for CVE-2014-2053.