X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=HISTORY;h=0410bd56725c393514dc533870333bfcd0283c65;hb=1fa2d7e5d048744be9bf4d3f5e12202d76097c10;hp=9cb53999fad82be12e9ecf671a100b0e175f9ae6;hpb=eff3a3bc47797f56fd0fa1f55a63aac349d448c1;p=lhc%2Fweb%2Fwiklou.git

diff --git a/HISTORY b/HISTORY
index 9cb53999fa..0410bd5672 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,6 +1,30 @@
 Change notes from older releases. For current info see RELEASE-NOTES-1.27.
 
 == MediaWiki 1.26 ==
+== MediaWiki 1.26.1 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.0 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
+* Fixed stray literal \n in Special:Search.
+* Fix issue that breaks HHVM Repo Authorative mode.
+* (T120267) Work around APCu memory corruption bug
 
 === Configuration changes in 1.26 ===
 * $wgPasswordResetRoutes['email'] = true by default.
@@ -246,6 +270,31 @@ changes to languages because of Phabricator reports.
 
 == MediaWiki 1.25 ==
 
+== MediaWiki 1.25.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.3 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+* (T114606) mw.notify was not correctly fixed to the page if
+  initialized while not at the top of the page.
+* Fix issue that breaks HHVM Repo Authorative mode.
+
 == MediaWiki 1.25.3 ==
 
 This is a security and maintenance release of the MediaWiki 1.25 branch.
@@ -845,6 +894,28 @@ For notes on 1.24.x and older releases, see HISTORY.
 
 == MediaWiki 1.24 ==
 
+== MediaWiki 1.24.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+== Changes since 1.24.4 ==
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+
 == MediaWiki 1.24.4 ==
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
@@ -1610,6 +1681,27 @@ of files that are no longer available follows.
 
 == MediaWiki 1.23 ==
 
+== MediaWiki 1.23.12 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+== Changes since 1.23.11 ==
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+
 == MediaWiki 1.23.11 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.