From 749e7fb2bae7bbda855de3c9e319435b9f698ff7 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Mon, 3 Mar 2008 09:36:49 +0100
Subject: MediaWiki 1.11.2 released (security)

---
 RELEASE-NOTES | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'RELEASE-NOTES')

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5115778e..4876d79b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -3,6 +3,24 @@
 Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
+== MediaWiki 1.11.2 ==
+
+March 2, 2008
+
+This is a security release of the Fall 2007 snapshot release of MediaWiki.
+Possible cross-site information leaks using the callback parameter for
+JSON-formatted results in the API are prevented by dropping user credentials.
+
+MediaWiki release versions prior to 1.11 are not vulnerable, as they do
+not include the callback feature which allows client-side JavaScript on
+other sites to reach API data.
+
+Changes in this release:
+
+* User credentials are dropped for API JSON requests using a callback
+* Edit tokens are not reported for API JSON requests using a callback
+
+
 == MediaWiki 1.11.1 ==
 
 January 23, 2008
-- 
cgit v1.2.2