From 6a602dffe2c7c5295171d30d98452846e9a46356 Mon Sep 17 00:00:00 2001 From: Reedy Date: Fri, 7 Apr 2017 10:52:29 +0100 Subject: [PATCH 1/1] Update HISTORY for 1.28.1/1.27.2/1.23.16 Bug: T162170 Change-Id: Ic9d0eb183c56caa2955509f1e74cec1f101b89e1 --- HISTORY | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) diff --git a/HISTORY b/HISTORY index 7f365ac095..c6ce06c698 100644 --- a/HISTORY +++ b/HISTORY @@ -1,5 +1,44 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.29. += MediaWiki 1.28 = + +== MediaWiki 1.28.1 == + +This is a security and maintenance release of the MediaWiki 1.28 branch. + +=== Changes since 1.28.0 === + +* $wgRunJobsAsync is now false by default (T142751). This change only affects + wikis with $wgJobRunRate > 0. +* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has + more than one database server setup. +* (T152717) Better escaping for PHP mail() command, +* (T154670) A missing method causing the MySQL installer to fatal in rare + circumstances was restored. +* (T154672) Un-deprecate ArticleAfterFetchContentObject hook. +* (T158766) Avoid SQL error on MSSQL when using selectRowCount(). +* (T145635) Fix too long index error when installing with MSSQL. +* (T156184) $wgRawHtml will no longer apply to internationalization messages. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. +* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep + their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. +* (T156184) SECURITY: Escape content model/format url parameter in message. +* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD + declaration. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory + in it's fallback chain when trying to work out where to write the cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion + syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against + it. + == MediaWiki 1.28 == === Changes since 1.28.0-rc1 === @@ -326,6 +365,49 @@ There's usually someone online in #mediawiki on irc.freenode.net. = MediaWiki 1.27 = +== MediaWiki 1.27.2 == +This is a security and maintenance release of the MediaWiki 1.27 branch. + +ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as +deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0 +was released. + +=== Changes since 1.27.1 === + +* (T68404) CSS3 attr() function with url type argument is no longer allowed + in inline styles. +* $wgRunJobsAsync is now false by default (T142751). This change only affects + wikis with $wgJobRunRate > 0. +* (T152717) Better escaping for PHP mail() command +* Submitting the lgtoken and lgpassword parameters in the query string to + action=login is now deprecated and outputs a warning. They should be submitted + in the POST body instead. +* Submitting sensitive authentication request parameters to action=clientlogin, + action=createaccount, action=linkaccount, and action=changeauthenticationdata + in the query string is now deprecated and outputs a warning. They should be + submitted in the POST body instead. +* (T158766) Avoid SQL error on MSSQL when using selectRowCount() +* (T145635) Fix too long index error when installing with MSSQL. +* (T156184) $wgRawHtml will no longer apply to internationalization messages. +* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. +* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep + their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. +* (T156184) SECURITY: Escape content model/format url parameter in message. +* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD + declaration. +* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory + in it's fallback chain when trying to work out where to write the cache. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion + syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against + it. + == MediaWiki 1.27.1 == This is a maintenance release of the MediaWiki 1.27 branch. @@ -2670,6 +2752,32 @@ of files that are no longer available follows. = MediaWiki 1.23 = +== MediaWiki 1.23.16 == +This is a security and maintenance release of the MediaWiki 1.23 branch. + +=== Changes since 1.23.15 === +* (T68404) CSS3 attr() function with url type is no longer allowed + in inline styles. +* (T156184) $wgRawHtml will no longer apply to internationalization messages. +* Submitting the lgtoken and lgpassword parameters in the query string to + action=login is now deprecated and outputs a warning. They should be submitted + in the POST body instead. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. +* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when + $wgAdvancedSearchHighlighting is true. +* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep + their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. +* (T156184) SECURITY: Escape content model/format url parameter in message. +* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD + declaration. +* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion + syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against + it. + == MediaWiki 1.23.15 == This is a maintenance release of the MediaWiki 1.23 branch. -- 2.20.1