Merge r63436 RELEASE-NOTES to trunk HISTORY

author Chad Horohoe <demon@users.mediawiki.org>

Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)

committer Chad Horohoe <demon@users.mediawiki.org>

Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)
author Chad Horohoe <demon@users.mediawiki.org>
Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)
committer Chad Horohoe <demon@users.mediawiki.org>
Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)
diff --git a/HISTORY b/HISTORY

index 1eca29a..132af88 100644 (file)
--- a/HISTORY
+++ b/HISTORY
@@ -1155,6 +1155,9 @@ changes to languages because of MediaZilla reports.
  * (bug 16343) Non-existing, but in use, category pages can be "go" match hits
  * Fixed a CSS validation issue which allowed external images to be included
    into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
+  similar image access authentication schemes. Check user permissions before
+  streaming out scaled images from thumb.php.
  
  == API changes in 1.15 ==
  * (bug 16858) Revamped list=deletedrevs to make listing deleted contributions
author	Chad Horohoe <demon@users.mediawiki.org>
	Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)
committer	Chad Horohoe <demon@users.mediawiki.org>
	Mon, 8 Mar 2010 22:52:23 +0000 (22:52 +0000)