Hello community, here is the log from the commit of package mediawiki checked in at Wed Jan 10 17:50:59 CET 2007. -------- --- mediawiki/mediawiki.changes 2006-10-16 15:22:48.000000000 +0200 +++ /mounts/work_src_done/STABLE/mediawiki/mediawiki.changes 2007-01-10 13:35:37.000000000 +0100 @@ -1,0 +2,12 @@ +Wed Jan 10 13:32:46 CET 2007 - anicka@suse.cz + +- update to 1.8.2 + * Regression in AutoAuthenticate hook + * Run PHP install version checks on update.php so command-line + updaters see new version requirements + * Do a check for the PHP 5.0.x 64-bit bug, since this is much + more disruptive as of MW 1.8 than it used to be. Install or + upgrade now aborts with a warning and a request to upgrade. + * XSS fix in AJAX module + +------------------------------------------------------------------- Old: ---- mediawiki-1.8.2.tar.bz2 New: ---- mediawiki-1.8.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mediawiki.spec ++++++ --- /var/tmp/diff_new_pack.lJ8609/_old 2007-01-10 17:50:06.000000000 +0100 +++ /var/tmp/diff_new_pack.lJ8609/_new 2007-01-10 17:50:06.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package mediawiki (Version 1.8.2) +# spec file for package mediawiki (Version 1.8.3) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -12,12 +12,12 @@ Name: mediawiki BuildRequires: ocaml -License: GPL +License: GNU General Public License (GPL) Group: Productivity/Networking/Web/Utilities URL: http://www.mediawiki.org Requires: mod_php_any php-session php-gettext php-zlib php-mysql ImageMagick-Magick++ tetex cjk-latex Autoreqprov: on -Version: 1.8.2 +Version: 1.8.3 Release: 1 Summary: A Web-Based Collaborative Editing Environment BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -103,6 +103,15 @@ %attr(-, root, www) %{mediawiki_path}/config %changelog -n mediawiki +* Wed Jan 10 2007 - anicka@suse.cz +- update to 1.8.2 + * Regression in AutoAuthenticate hook + * Run PHP install version checks on update.php so command-line + updaters see new version requirements + * Do a check for the PHP 5.0.x 64-bit bug, since this is much + more disruptive as of MW 1.8 than it used to be. Install or + upgrade now aborts with a warning and a request to upgrade. + * XSS fix in AJAX module * Mon Oct 16 2006 - anicka@suse.cz - update to 1.8.2 * major quarterly release ++++++ mediawiki-1.8.2.tar.bz2 -> mediawiki-1.8.3.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/includes/AjaxDispatcher.php new/mediawiki-1.8.3/includes/AjaxDispatcher.php --- old/mediawiki-1.8.2/includes/AjaxDispatcher.php 2006-10-14 02:06:32.000000000 +0200 +++ new/mediawiki-1.8.3/includes/AjaxDispatcher.php 2007-01-09 08:51:04.000000000 +0100 @@ -55,7 +55,7 @@ if (! in_array( $this->func_name, $wgAjaxExportList ) ) { header( 'Status: 400 Bad Request', true, 400 ); - echo "unknown function {$this->func_name}"; + print "unknown function " . htmlspecialchars( (string) $this->func_name ); } else { try { $result = call_user_func_array($this->func_name, $this->args); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/includes/DefaultSettings.php new/mediawiki-1.8.3/includes/DefaultSettings.php --- old/mediawiki-1.8.2/includes/DefaultSettings.php 2006-10-14 02:06:34.000000000 +0200 +++ new/mediawiki-1.8.3/includes/DefaultSettings.php 2007-01-09 08:51:05.000000000 +0100 @@ -32,7 +32,7 @@ $wgConf = new SiteConfiguration; /** MediaWiki version number */ -$wgVersion = '1.8.2'; +$wgVersion = '1.8.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/includes/StubObject.php new/mediawiki-1.8.3/includes/StubObject.php --- old/mediawiki-1.8.2/includes/StubObject.php 2006-10-14 02:06:32.000000000 +0200 +++ new/mediawiki-1.8.3/includes/StubObject.php 2007-01-09 08:51:04.000000000 +0100 @@ -121,7 +121,7 @@ $user->setLoaded( true ); } else { $user = User::loadFromSession(); - wfRunHooks('AutoAuthenticate',array($user)); + wfRunHooks('AutoAuthenticate',array(&$user)); } return $user; } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/install-utils.inc new/mediawiki-1.8.3/install-utils.inc --- old/mediawiki-1.8.2/install-utils.inc 2006-10-14 02:07:04.000000000 +0200 +++ new/mediawiki-1.8.3/install-utils.inc 2007-01-09 08:51:23.000000000 +0100 @@ -14,6 +14,16 @@ echo "PHP 5.0.0 or higher is required. ABORTING.\n"; die( -1 ); } + + // Test for PHP bug which breaks PHP 5.0.x on 64-bit... + // As of 1.8 this breaks lots of common operations instead + // of just some rare ones like export. + $borked = str_replace( 'a', 'b', array( -1 => -1 ) ); + if( !isset( $borked[-1] ) ) { + echo "PHP 5.0.x is buggy on your 64-bit system; you must upgrade to PHP 5.1.x\n" . + "or higher. ABORTING. (http://bugs.php.net/bug.php?id=34879 for details)\n"; + die( -1 ); + } global $wgCommandLineMode; $wgCommandLineMode = true; diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/maintenance/update.php new/mediawiki-1.8.3/maintenance/update.php --- old/mediawiki-1.8.2/maintenance/update.php 2006-10-14 02:06:04.000000000 +0200 +++ new/mediawiki-1.8.3/maintenance/update.php 2007-01-09 08:50:38.000000000 +0100 @@ -18,6 +18,8 @@ echo( "MediaWiki {$wgVersion} Updater\n\n" ); +install_version_checks(); + # Do a pre-emptive check to ensure we've got credentials supplied # We can't, at this stage, check them, but we can detect their absence, # which seems to cause most of the problems people whinge about diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/mediawiki-1.8.2/RELEASE-NOTES new/mediawiki-1.8.3/RELEASE-NOTES --- old/mediawiki-1.8.2/RELEASE-NOTES 2006-10-14 02:07:04.000000000 +0200 +++ new/mediawiki-1.8.3/RELEASE-NOTES 2007-01-09 08:51:24.000000000 +0100 @@ -3,6 +3,34 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.8.3 == + +January 9, 2007 + +MediaWiki 1.8.3 fixes several issues in the Fall 2006 snapshot release: +* (bug 7831) Regression in AutoAuthenticate hook +* Run PHP install version checks on update.php so command-line updaters see + new version requirements +* Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive + as of MW 1.8 than it used to be. Install or upgrade now aborts with a + warning and a request to upgrade. +* XSS fix in AJAX module + +An XSS injection vulnerability was located in the AJAX support module, +affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax +is enabled. + +There is no danger in the default configuration, with $wgUseAjax off. + +If you are using an extension based on the optional AJAX module, +either disable it or upgrade to a version containing the fix: + +* 1.9: fixed in 1.9.0rc2 +* 1.8: fixed in 1.8.3 +* 1.7: fixed in 1.7.2 +* 1.6: fixed in 1.6.9 + + == MediaWiki 1.8.2 == October 13, 2006 @@ -366,6 +394,10 @@ MediaWiki 1.8 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported. +PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing: +http://bugs.php.net/bug.php?id=34879 +Upgrade affected systems to PHP 5.1 or higher. + MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org