Tim has pushed out a new MediaWiki security release fixing up some XSS and CSRF bugs found by David Remahl of Apple. (Thanks David!)
As part of the update, our security checks for uploaded files have been improved — we now replicate Internet Explorer’s dangerous file type autodetection as closely as possible so we can tell when a file will be misdetected unsafely when downloaded by that popular browser.
Go ahead and download MediaWiki 1.13.3, 1.12.2, or 1.6.11. (Versions from 1.7 to 1.11 are old enough we’re no longer supporting them; we went ahead and pushed an update for 1.6 for the few PHP 4 stragglers out there. Upgrade to PHP 5, you guys! ;)
Update 2008-12-16: The 1.12.2 download and patch files are corrupt. :( You can pull 1.12.2 direct from SVN or update directly to 1.13; if you need a 1.12 download, please wait until a fixed release is built.
Note that release candidates for MediaWiki 1.14 should be coming soon, it’s time for our quarterly release!