X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=HISTORY;h=e57d346316a4a5437fcaa32a7945ba41189a7c72;hp=9cb53999fad82be12e9ecf671a100b0e175f9ae6;hb=155ee515d4c0cd3ecddf9f659d9edd84b284081f;hpb=2acd6fb2234146d8533d3529c93d56f03af45bab diff --git a/HISTORY b/HISTORY index 9cb53999fa..e57d346316 100644 --- a/HISTORY +++ b/HISTORY @@ -1,6 +1,40 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.27. -== MediaWiki 1.26 == += MediaWiki 1.26 = + +== MediaWiki 1.26.2 == + +This is a maintenance release of the MediaWiki 1.26 branch. + +=== Changes since 1.26.1 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1. + +== MediaWiki 1.26.1 == + +This is a maintenance release of the MediaWiki 1.26 branch. + +=== Changes since 1.26.0 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy. +* Fixed stray literal \n in Special:Search. +* Fix issue that breaks HHVM Repo Authorative mode. +* (T120267) Work around APCu memory corruption bug + +== MediaWiki 1.26.0 == === Configuration changes in 1.26 === * $wgPasswordResetRoutes['email'] = true by default. @@ -91,7 +125,7 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.27. documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its subclasses for more information. -== extension.json changes in 1.26 == +=== extension.json changes in 1.26 === * (T99344) The extension.json schema is now versioned. All extensions and skins should set a "manifest_version" property corresponding to the schema version they were written for. The only supported version @@ -244,7 +278,39 @@ changes to languages because of Phabricator reports. * $wgDeferredUpdateList was removed. * DeferredUpdates::addHTMLCacheUpdate() was removed. -== MediaWiki 1.25 == += MediaWiki 1.25 = + +== MediaWiki 1.25.5 == + +This is a maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.4 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4. + +== MediaWiki 1.25.4 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.3 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. +* (T114606) mw.notify was not correctly fixed to the page if + initialized while not at the top of the page. +* Fix issue that breaks HHVM Repo Authorative mode. == MediaWiki 1.25.3 == @@ -299,6 +365,8 @@ This is a bug fix release of the MediaWiki 1.25 branch. === Changes since 1.25 === * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension +== MediaWiki 1.25.0 == + === Configuration changes in 1.25 === * $wgPageShowWatchingUsers was removed. * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts. @@ -801,55 +869,42 @@ changes to languages because of Bugzilla reports. loadedScripts object, from wikibits.js (deprecated since 1.17) now emit warnings through mw.log.warn when accessed. += MediaWiki 1.24 = -== Compatibility == - -MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for -HHVM 3.3.0. +== MediaWiki 1.24.6 == -MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but -support for them is somewhat less mature. There is experimental support for -Oracle and Microsoft SQL Server. - -The supported versions are: - -* MySQL 5.0.3 or later -* PostgreSQL 8.3 or later -* SQLite 3.3.7 or later -* Oracle 9.0.1 or later -* Microsoft SQL Server 2005 (9.00.1399) - -== Upgrading == - -1.25 has several database changes since 1.24, and will not work without schema -updates. Note that due to changes to some very large tables like the revision -table, the schema update may take quite long (minutes on a medium sized site, -many hours on a large site). - -If upgrading from before 1.11, and you are using a wiki as a commons -repository, make sure that it is updated as well. Otherwise, errors may arise -due to database schema changes. - -If upgrading from before 1.7, you may want to run refreshLinks.php to ensure -new database fields are filled with data. +This is a maintenance release of the MediaWiki 1.24 branch. -If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to -1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed -with MediaWiki 1.21. +=== Changes since 1.24.5 === +* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5. -Don't forget to always back up your database before upgrading! +== MediaWiki 1.24.5 == -See the file UPGRADE for more detailed upgrade instructions. - -For notes on 1.24.x and older releases, see HISTORY. +This is a security and maintenance release of the MediaWiki 1.23 branch. -== MediaWiki 1.24 == +=== Changes since 1.24.4 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. == MediaWiki 1.24.4 == This is a security and maintenance release of the MediaWiki 1.24 branch. -== Changes since 1.24.3 == +=== Changes since 1.24.3 === * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+. * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running @@ -864,7 +919,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch. This is a security and maintenance release of the MediaWiki 1.24 branch. -== Changes since 1.24.2 == +=== Changes since 1.24.2 === * (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php @@ -878,7 +933,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch. This is a security and maintenance release of the MediaWiki 1.24 branch. -== Changes since 1.24.1 == +=== Changes since 1.24.1 === * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. @@ -902,7 +957,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch. This is a security and maintenance release of the MediaWiki 1.24 branch. -== Changes since 1.24.0 == +=== Changes since 1.24.0 === * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to @@ -915,6 +970,8 @@ This is a security and maintenance release of the MediaWiki 1.24 branch. * (bug T76168) OutputPage: Add accessors for some protected properties. * (bug T74834) Make 1.24 branch directly installable under PostgreSQL. +== MediaWiki 1.24.0 == + === Configuration changes in 1.24 === * MediaWiki will no longer run if register_globals is enabled. It has been deprecated for 5 years now, and was removed in PHP 5.4. For more information @@ -1607,14 +1664,41 @@ of files that are no longer available follows. * skins/common/images/icons/fileicon.png * skins/common/images/ksh/button_S_italic.png += MediaWiki 1.23 = + +== MediaWiki 1.23.13 == + +This is a maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.12 === +* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12. + +== MediaWiki 1.23.12 == -== MediaWiki 1.23 == +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.11 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki == MediaWiki 1.23.11 == This is a security and maintenance release of the MediaWiki 1.23 branch. -== Changes since 1.23.10 == +=== Changes since 1.23.10 === * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading @@ -1624,7 +1708,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. This is a security and maintenance release of the MediaWiki 1.23 branch. -== Changes since 1.23.9 == +=== Changes since 1.23.9 === * (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php @@ -1639,7 +1723,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. This is a security and maintenance release of the MediaWiki 1.23 branch. -== Changes since 1.23.8 == +=== Changes since 1.23.8 === * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. @@ -1652,14 +1736,14 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. prevent XSS and protect viewer's privacy. * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running update.php to fix. -* (bug T70087) Fix Special:ActiveUsers page for installations using +* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. == MediaWiki 1.23.8 == This is a security and maintenance release of the MediaWiki 1.23 branch. -== Changes since 1.23.7 == +=== Changes since 1.23.7 === * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to @@ -1673,7 +1757,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. This is a security and maintenance release of the MediaWiki 1.23 branch. -== Changes since 1.23.6 == +=== Changes since 1.23.6 === * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash @@ -1777,6 +1861,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. like only extracting the tail of the file partially or not at all. * (bug 66182) Removed -x flag on some php files. +== MediaWiki 1.23.0 == === Configuration changes in 1.23 === * (bug 13250) Restored method for clearing a watchlist in web UI @@ -2245,7 +2330,7 @@ changes to languages because of Bugzilla reports. ==== Removed globals ==== * $wgBetterDirectionality (deprecated in 1.18) -== MediaWiki 1.22 == += MediaWiki 1.22 = == MediaWiki 1.22.15 == @@ -2401,6 +2486,8 @@ This is a security and maintenance release of the MediaWiki 1.22 branch. * (bug 47055) Changed FOR UPDATE handling in Postgresql * (bug 57026) Avoid extra parsing in prepareContentForEdit() +== MediaWiki 1.22.0 == + === Configuration changes in 1.22 === * $wgRedirectScript was removed. It was unused. * Removed $wgLocalMessageCacheSerialized, it is now always true. @@ -2810,7 +2897,7 @@ This is a security and maintenance release of the MediaWiki 1.22 branch. file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl. * The new query module list=allfileusages to enumerate file usages was added. -=== Languages updated in 1.22=== +=== Languages updated in 1.22 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as @@ -2928,7 +3015,7 @@ changes to languages because of Bugzilla reports. * mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name still works, but is deprecated.) -== MediaWiki 1.21 == += MediaWiki 1.21 = == MediaWiki 1.21.11 == This is a security and maintenance release of the MediaWiki 1.21 branch. @@ -3016,6 +3103,8 @@ This is a maintenance release of the MediaWiki 1.21 branch. * A problem with the Oracle SQL table creation was fixed. * (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds. +== MediaWiki 1.21.0 == + === Configuration changes in 1.21 === * (bug 29374) $wgVectorUseSimpleSearch is now enabled by default. * Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname' @@ -3344,7 +3433,7 @@ changes to languages because of Bugzilla reports. * BREAKING CHANGE: (bug 38244) Removed the mediawiki.api.titleblacklist module and moved it to the TitleBlacklist extension. -== MediaWiki 1.20 == += MediaWiki 1.20 = == MediaWiki 1.20.8 == This is a security release of the MediaWiki 1.20 branch. @@ -3397,7 +3486,7 @@ This is a security release of the MediaWiki 1.20 branch. == MediaWiki 1.20.3 == This is a security and maintenance release of the MediaWiki 1.20 branch. -== MediaWiki 1.20.2 == +=== Changes since MediaWiki 1.20.2 === * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.) * (bug 44010) Context is passed to UserGetLanguageObject. * The recursion guard on RequestContext::getLanguage() was weakened. @@ -3411,14 +3500,14 @@ This is a security and maintenance release of the MediaWiki 1.20 branch. == MediaWiki 1.20.2 == This is a maintenance release of the MediaWiki 1.20 branch -== MediaWiki 1.20.1 == +=== Changes since MediaWiki 1.20.1 === * (bug 42638) Fix API action=options&reset=1 & unit tests. * (bug 42370) Fixed backport of 60cc060 to use mDoneWrites — caused * (bug 42592) User rights, preferences and other things are not saving in 1.20.1. == MediaWiki 1.20.1 == This is a security release of the MediaWiki 1.20 branch -Changes since 1.20 +=== Changes since 1.20.0 === * (bug 42202) Validate options to prevent html injection * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391) * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit @@ -3426,9 +3515,7 @@ Changes since 1.20 * (bug 40632) Remove CleanupPresentationalAttributes feature * [Database] Fixed case where trx idle callbacks might be lost. - - -== MediaWiki 1.20 == +== MediaWiki 1.20.0 == === PHP 5.3 now required === Since 1.20, the lowest supported version of PHP is now 5.3.2. Please @@ -3795,7 +3882,7 @@ changes to languages because of Bugzilla reports. == MediaWiki 1.19.21 == This is a maintenance release of the MediaWiki 1.19 branch. -=== Changes since 1.19.20=== +=== Changes since 1.19.20 === * (bug 67440) Allow classes to be registered properly from installer. * (bug 47281) Fixed a dumpBackup.php error with --uploads --include-filesoptions: Unable to find the wrapper "mwstore". * System administrators are encouraged to upgrade to this release or 1.22+ and produce a full data dump. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki * (bug 63049) Removed anonymous functions from ApiFormatBase, added in1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility. @@ -3803,73 +3890,73 @@ This is a maintenance release of the MediaWiki 1.19 branch. == MediaWiki 1.19.20 == This is a security release of the MediaWiki 1.19 branch. -=== Changes since 1.19.19=== +=== Changes since 1.19.19 === * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. == MediaWiki 1.19.19 == This is a security release of the MediaWiki 1.19 branch. -=== Changes since 1.19.18=== +=== Changes since 1.19.18 === * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter