diff options
Diffstat (limited to 'RELEASE-NOTES-1.22')
| -rw-r--r-- | RELEASE-NOTES-1.22 | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 20c19471..9d10f222 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,20 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.15 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.14 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. + == MediaWiki 1.22.14 == This is a security and maintenance release of the MediaWiki 1.22 branch. |