diff options
Diffstat (limited to 'RELEASE-NOTES-1.22')
| -rw-r--r-- | RELEASE-NOTES-1.22 | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index be1d96a7..9d10f222 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,104 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.15 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.14 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. + +== MediaWiki 1.22.14 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.13 === + +* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code + into API clients that used format=php to process pages that underwent flash + policy mangling. This was fixed along with improving how the mangling was done + for format=json, and allowing sites to disable the mangling using + $wgMangleFlashPolicy. +* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update + the content model for a page could allow an unprivileged attacker to edit + another user's common.js under certain circumstances. The user right + "editcontentmodel" was added, and is needed to change a revision's content + model. +* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with + DELETED_ACTION. NOTICE: this may be reverted in a future release pending a + public RFC about the desired functionality. This issue was reported by user + Bawolff. +* (bug 71621) Make allowing site-wide styles on restricted special pages a + config option. +* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that + might be a flash policy directive configurable. + +== MediaWiki 1.22.13 == + +This is a maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.12 === + +* (Bug 67440) Allow classes to be registered properly from installer + +== MediaWiki 1.22.12 == + +This is a security release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.11 === + +* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module + allowance. + +== MediaWiki 1.22.11 == + +This is a security release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.10 === +* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> + elements; normalize style elements and attributes before filtering; add + checks for attributes that contain css; add unit tests for html5sec and + reported bugs. + +== MediaWiki 1.22.10 == + +This is a maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.9 === + +* (bug 64970) Fix support for blobs on DatabaseOracle::update +* (bug 60719) In MediaWiki 1.22, the job queue execution on each page + request was changed (Gerrit change 59797) so, instead of executing + the job inside the same PHP process that's rendering the page, a new + PHP cli command is spawned to execute runJobs.php in the + background. It will only work if $wgPhpCli is set to an actual path + or safe mode is off, otherwise, the old method will be used. + + https://www.mediawiki.org/wiki/Manual:Job_queue#Changes_introduced_in_MediaWiki_1.22 + for more infomation. This change was in earlier releases of 1.22 + but was not noted here until now. + +== MediaWiki 1.22.9 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.8 === + +* (bug 68187) SECURITY: Prepend jsonp callback with comment. +* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used + for loading a new page in Javascript,instead of relying on the URL in the link + that has been clicked. +* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and + ParserOutput. +* (bug 59147) The img_metadata field was not being decoded from bytea into text. + == MediaWiki 1.22.8 == This is a security and maintenance release of the MediaWiki 1.22 branch. |