Reedy has uploaded a new change for review. https://gerrit.wikimedia.org/r/260305
Change subject: Update HISTORY for last round of releases ...................................................................... Update HISTORY for last round of releases Change-Id: I110b9c14aa042449524acf5b866e30f8fece4372 --- M HISTORY 1 file changed, 92 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/05/260305/1 diff --git a/HISTORY b/HISTORY index 9cb5399..0410bd5 100644 --- a/HISTORY +++ b/HISTORY @@ -1,6 +1,30 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.27. == MediaWiki 1.26 == +== MediaWiki 1.26.1 == + +This is a maintenance release of the MediaWiki 1.26 branch. + +=== Changes since 1.26.0 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1"; are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy. +* Fixed stray literal \n in Special:Search. +* Fix issue that breaks HHVM Repo Authorative mode. +* (T120267) Work around APCu memory corruption bug === Configuration changes in 1.26 === * $wgPasswordResetRoutes['email'] = true by default. @@ -245,6 +269,31 @@ * DeferredUpdates::addHTMLCacheUpdate() was removed. == MediaWiki 1.25 == + +== MediaWiki 1.25.4 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.3 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1"; are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. +* (T114606) mw.notify was not correctly fixed to the page if + initialized while not at the top of the page. +* Fix issue that breaks HHVM Repo Authorative mode. == MediaWiki 1.25.3 == @@ -844,6 +893,28 @@ For notes on 1.24.x and older releases, see HISTORY. == MediaWiki 1.24 == + +== MediaWiki 1.24.5 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +== Changes since 1.24.4 == +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1"; are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. == MediaWiki 1.24.4 == @@ -1610,6 +1681,27 @@ == MediaWiki 1.23 == +== MediaWiki 1.23.12 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +== Changes since 1.23.11 == +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1"; are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki + == MediaWiki 1.23.11 == This is a security and maintenance release of the MediaWiki 1.23 branch. -- To view, visit https://gerrit.wikimedia.org/r/260305 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I110b9c14aa042449524acf5b866e30f8fece4372 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Reedy <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
