MediaWiki 1.24.4
16 October 2015
MediaWiki version 1.24.4 is now available (security release).
Upgrading to MediaWiki 1.24.4
MediaWiki 1.24.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.24.4 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.24.4
This release fixes five security issues in the core, in addition to other bug fixes.
Security fixes
- Wikipedia user RobinHood70 reported two issues in the chunked upload API. The API failed to correctly stop adding new chunks to the upload when the reported size was exceeded (T91203), allowing a malicious users to upload add an infinite number of chunks for a single file upload. Additionally, a malicious user could upload chunks of 1 byte for very large files, potentially creating a very large number of files on the server's filesystem (T91205).
- Internal review discovered that it is not possible to throttle file uploads. (T91850)
- Internal review discovered a missing authorization check when removing suppression from a revision. This allowed users with the 'viewsuppressed' user right but not the appropriate 'suppressrevision' user right to unsuppress revisions. (T95589)
- Richard Stanway from teamliquid.net reported that thumbnails of PNG files generated with ImageMagick contained the local file path in the image metadata. (T108616)
Bugfixes
- Minimal PSR-3 debug logger to support backports from 1.25+. (T91653)
- Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. (T68650)