From: jenkins-bot Date: Tue, 26 Mar 2019 15:35:17 +0000 (+0000) Subject: Merge "HISTORY: Add MediaWiki 1.9 post-release change notes" X-Git-Tag: 1.34.0-rc.0~2345 X-Git-Url: http://git.heureux-cyclage.org/?a=commitdiff_plain;h=40c2f440f80f631741734e17858a6148e1816ace;hp=-c;p=lhc%2Fweb%2Fwiklou.git Merge "HISTORY: Add MediaWiki 1.9 post-release change notes" --- 40c2f440f80f631741734e17858a6148e1816ace diff --combined HISTORY index 281e818e50,15617ef220..3f045527ee --- a/HISTORY +++ b/HISTORY @@@ -13424,121 -13424,6 +13424,121 @@@ Full API documentation is available at == MediaWiki 1.10 == +== MediaWiki 1.10.4 == + +March 2, 2008 + +* Correction for API path fix, broken in 1.10.3 + +== MediaWiki 1.10.3 == + +January 23, 2008 + +This is a security update to the Winter 2007 quarterly release. A potential +XSS injection vector affecting api.php only for Microsoft Internet Explorer +users has been closed. + + +To work around the vulnerability without upgrading, you may disable the API if +you don't need it: + +:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false; + +Not vulnerable versions: +* 1.12 or later +* 1.11 >= 1.11.1 +* 1.10 >= 1.10.3 +* 1.9 >= 1.9.5 +* 1.8 any version (if $wgEnableAPI has been left off) + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.2 +* 1.9 <= 1.9.4 +* 1.8 any version (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include the API +functionality, however the BotQuery extension is similarly vulnerable unless +updated to the latest SVN version. + +== MediaWiki 1.10.2 == +September 10, 2007 + +This is a security fix update to the Spring 2007 quarterly release snapshot. A +possible HTML/XSS injection vector in the API pretty-printing mode has been +found and fixed. + +The vulnerability may be worked around in an unfixed version by simply +disabling the API interface if it is not in use, by adding this to +LocalSettings.php: +:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false; + +Not vulnerable versions: +* 1.11 >= 1.11.0 +* 1.10 >= 1.10.2 +* 1.9 >= 1.9.4 +* 1.8 >= 1.8.5 + +Vulnerable versions: +* 1.11 <= 1.11.0rc1 +* 1.10 <= 1.10.1 +* 1.9 <= 1.9.3 +* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on) + +MediaWiki 1.7 and below are not affected as they do not include the faulty +function, however the BotQuery extension is similarly vulnerable unless updated +to the latest SVN version. + +== MediaWiki 1.10.1 == +July 13, 2007 + +This is a bugfix update to the Spring 2007 quarterly release snapshot. A number +of fixes to improve compatibility with PostgreSQL, some versions of MySQL, and +some PHP configurations are included. + +Changes since 1.10.0: + +* (bug [[bugzilla:9417|9417]]) Uploading new versions of images when using +Postgres no longer throws warnings. +* (bug [[bugzilla:9908|9908]]) Using tsearch2 with Postgres 8.1 no longer gives +an error. +* (bug [[bugzilla:9973|9973]]) Changed size was shown in advanced recentchanges +collapsible items with $wgRCShowChangedSized = false. +* Fixed installation on MyISAM or old InnoDB with charset=utf8, was giving +overlong key errors. +* Fixed zero-padding issues with MySQL 5 binary schema +* (bug [[bugzilla:9820|9820]]) session.save_path check no longer halts +installation, but warns of possible bad values +* (bug [[bugzilla:9978|9978]]) Fixed session.save_path validation when using +extended configuration format, e.g. "5;/tmp" + +== MediaWiki 1.10.0 == +May 9, 2007 + +This is the quarterly release snapshot for Spring 2007. See below for a full +list of changes since the 1.9.x series. + +Changes since 1.10.0rc2: + +* (bug [[bugzilla:9808|9808]]) Fix regression that ignored user 'rclimit' +option for Special:Contributions + +== MediaWiki 1.10.0rc2 == +May 4, 2007 + +THIS IS A RELEASE CANDIDATE MADE AVAILABLE FOR TESTING! +A FINAL 1.10.0 RELEASE WILL APPEAR WITHIN A FEW DAYS. + +Changes since 1.10.0rc1: +* Various l10n fixes and updates +* Fix for upgrade of page_restrictions table +* (bug [[bugzilla:9780|9780]]) Fix normalization of titles with initial colon +followed by whitespace +* Fix for regression in upload: wrong size info saved into image table +* Avoid cyclic stub problems when authorization hooks do funny things with the +user and the database at load time + +== MediaWiki 1.10.0rc1 == This is the Spring 2007 branch release of MediaWiki. MediaWiki is now using a "continuous integration" development model with @@@ -14028,10 -13913,159 +14028,159 @@@ break. Don't forget to always back up y See the file UPGRADE for more detailed upgrade instructions. = MediaWiki release notes = - Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. + = MediaWiki 1.9 = + + == MediaWiki 1.9.6 == + + March 2, 2008 + + * Correction for API path fix, broken in 1.9.5 + + == MediaWiki 1.9.5 == + + January 23, 2008 + + This is a security update to the Winter 2007 quarterly release. A potential XSS + injection vector affecting api.php only for Microsoft Internet Explorer users + has been closed. + + + To work around the vulnerability without upgrading, you may disable the API if + you don't need it: + + :[[Manual:$wgEnableAPI|$wgEnableAPI]] = false; + + Not vulnerable versions: + * 1.12 or later + * 1.11 >= 1.11.1 + * 1.10 >= 1.10.3 + * 1.9 >= 1.9.5 + * 1.8 any version (if $wgEnableAPI has been left off) + + Vulnerable versions: + * 1.11 <= 1.11.0rc1 + * 1.10 <= 1.10.2 + * 1.9 <= 1.9.4 + * 1.8 any version (if $wgEnableAPI has been switched on) + + MediaWiki 1.7 and below are not affected as they do not include the API + functionality, however the BotQuery extension is similarly vulnerable unless + updated to the latest SVN version. + + == MediaWiki 1.9.4 == + + September 10, 2007 + + This is a security and bug fix update to the Winter 2007 quarterly release. + Minor compatibility fixes for IIS 5 are included. + + * (bug [[bugzilla:8847|8847]]) Strip spurious #fragments from request URI to + fix redirect loops on some server configurations + * A possible HTML/XSS injection vector in the API pretty-printing mode has been + found and fixed. + + The vulnerability may be worked around in an unfixed version by simply + disabling the API interface if it is not in use, by adding this to + LocalSettings.php: + + :[[Manual:$wgEnableAPI|$wgEnableAPI]] = false; + + Not vulnerable versions: + * 1.11 >= 1.11.0 + * 1.10 >= 1.10.2 + * 1.9 >= 1.9.4 + * 1.8 >= 1.8.5 + + Vulnerable versions: + * 1.11 <= 1.11.0rc1 + * 1.10 <= 1.10.1 + * 1.9 <= 1.9.3 + * 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on) + + MediaWiki 1.7 and below are not affected as they do not include the faulty + function, however the BotQuery extension is similarly vulnerable unless updated + to the latest SVN version. + + == MediaWiki 1.9.3 == + + February 20, 2007 + + This is a security and bug-fix update to the Winter 2007 quarterly release. + Minor compatibility fixes for IIS and PostgreSQL are included. + + An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 + charset autodetection was located in the AJAX support module, affecting MSIE + users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. + + If you are using an extension based on the optional Ajax module, either disable + it or upgrade to a version containing the fix: + + * 1.9: fixed in 1.9.3 + * 1.8: fixed in 1.8.4 + * 1.7: fixed in 1.7.3 + * 1.6: fixed in 1.6.10 + + There is no known danger in the default configuration, with ''$wgUseAjax'' off. + + * ([[mediazilla:8992|8992]]) Fix a remaining raw use of REQUEST_URI in history + * ([[mediazilla:8984|8984]]) Fix a database error in + Special:Recentchangeslinked when using the PostgreSQL database. + * Add ''charset'' to Content-Type headers on various HTTP error responses to + forestall additional UTF-7-autodetect XSS issues. PHP sends only ''text/html'' + by default when the script didn't specify more details, which some + inconsiderate browsers consider a license to autodetect the deadly, + hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message + on MSIE when ''$wgUseAjax'' is enabled (not default configuration); this UTF-7 + variant on a previously fixed attack vector was discovered by Moshe BA from + BugSec: [http://www.bugsec.com/articles.php?Security=24 + http://www.bugsec.com/articles.php?Security=24] + * Trackback responses now specify XML content type + + == MediaWiki 1.9.2 == + + February 4, 2007 + + This is a bug-fix update that fixes some installation and other minor issues + with the 1.9.1 release as well as a security issue which was introduced in the + 1.9 branch. + + JavaScript code which regenerated the "sortable tables" feature did not + properly sanitize input, leading to an HTML injection vulnerability. + + * ([[mediazilla:8774|8774]]) Fix path for GNU FDL rights icon on new installs + * ([[mediazilla:8819|8819]]) Fix full path disclosure with skins dependencies + * ([[mediazilla:8819|8819]]) Fixed data-loss bug in compressOld batch text + compression affecting pages which had null edits (move, protect, etc) as second + edit in a batch group. Isolated and patched by Travis Derouin. + * Security fix for sortable tables JavaScript + + == MediaWiki 1.9.1 == + + January 24, 2007 + + This is a bug-fix update that fixes some installation and upgrade issues with + the original 1.9.0 release. + + * ([[mediazilla:3000|3000]]) Fall back to SCRIPT_NAME plus QUERY_STRING when + REQUEST_URI is not available, as on IIS with PHP-CGI + * Security fix for DjVu images. (Only affects servers where .djvu file uploads + are enabled and ''$wgDjvuToXML'' is set.) + * ([[mediazilla:8638|8638]]) Fix update from 1.4 and earlier + * ([[mediazilla:8641|8641]]) Fix order of updates to ipblocks table for updates + from <=1.7 + * ([[mediazilla:8673|8673]]) Minor fix for web service API content-type header + * Fix API revision list on PHP 5.2.1; bad reference assignment + * Fixed up the AjaxSearch + * Exclude settings files when generating documentation. That could expose the + database user and password to remote users. + * ar: fix the 'create a new page' on search page when no exact match found + * Correct tooltip accesskey hint for Opera on the Macintosh (uses Shift-Esc-, + not Ctrl-). + * ([[mediazilla:8719|8719]]) Firefox release notes lie! Fix tooltips for + Firefox 2 on x11; accesskeys default settings appear to be same as Windows. == Changes since 1.8 ==