Diffstat (limited to 'RELEASE-NOTES-1.22')
1 files changed, 27 insertions, 0 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index 9602c710..20c19471 100644
@@ -3,11 +3,37 @@
Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.
+== MediaWiki 1.22.14 ==
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+=== Changes since 1.22.13 ===
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
== MediaWiki 1.22.13 ==
This is a maintenance release of the MediaWiki 1.22 branch.
=== Changes since 1.22.12 ===
* (Bug 67440) Allow classes to be registered properly from installer
== MediaWiki 1.22.12 ==
@@ -15,6 +41,7 @@ This is a maintenance release of the MediaWiki 1.22 branch.
This is a security release of the MediaWiki 1.22 branch.
=== Changes since 1.22.11 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module