1 files changed, 31 insertions, 0 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index a2bc56c5..ac1b7a47 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,37 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
+== MediaWiki 1.10.2 ==
+
+September 10, 2007
+
+This is a security fix update to the Spring 2007 quarterly release snapshot.
+A possible HTML/XSS injection vector in the API pretty-printing mode has
+been found and fixed.
+
+The vulnerability may be worked around in an unfixed version by simply
+disabling the API interface if it is not in use, by adding this to
+LocalSettings.php:
+
+  $wgEnableAPI = false;
+
+Not vulnerable versions:
+* 1.11 >= 1.11.0
+* 1.10 >= 1.10.2
+* 1.9 >= 1.9.4
+* 1.8 >= 1.8.5
+
+Vulnerable versions:
+* 1.11 <= 1.11.0rc1
+* 1.10 <= 1.10.1
+* 1.9 <= 1.9.3
+* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)
+
+MediaWiki 1.7 and below are not affected as they do not include
+the faulty function, however the BotQuery extension is similarly
+vulnerable unless updated to the latest SVN version.
+
+
 == MediaWiki 1.10.1 ==
 
 July 13, 2007