From 394be2a788255ad8da2f588796878d9caa420da4 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <demon@users.mediawiki.org>
Date: Mon, 8 Mar 2010 22:52:23 +0000
Subject: [PATCH] Merge r63436 RELEASE-NOTES to trunk HISTORY

---
 HISTORY | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/HISTORY b/HISTORY
index 1eca29add0..132af88ac2 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1155,6 +1155,9 @@ changes to languages because of MediaZilla reports.
 * (bug 16343) Non-existing, but in use, category pages can be "go" match hits
 * Fixed a CSS validation issue which allowed external images to be included
   into wikis where that is disallowed by configuration.
+* Fixed a data leakage vulnerability for private wikis using img_auth.php or
+  similar image access authentication schemes. Check user permissions before
+  streaming out scaled images from thumb.php.
 
 == API changes in 1.15 ==
 * (bug 16858) Revamped list=deletedrevs to make listing deleted contributions
-- 
2.20.1