diff options
Diffstat (limited to 'RELEASE-NOTES-1.22')
-rw-r--r-- | RELEASE-NOTES-1.22 | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index ed64aa4d..9862e5eb 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,15 +3,45 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.3 == + +This is a security and bugfix release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.2 === +* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted + namespaces. Also disallow iframe elements. User will get an error + including the namespace name if they use a non- whitelisted namespace. +* (bug 61346) SECURITY: Make token comparison use constant time. It seems like + our token comparison would be vulnerable to timing attacks. This will take + constant time. +* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links. +* (bug 53710) Add sequence support for upsert in DatabaseOracle in the same way + as in selectInsert +* (bug 60231, 58719) Various fixes to job running code in Wiki.php: Make it + async on Windows. Fixed possible "invalid filename" errors on Windows. + Redirect output to dev/null to avoid hanging PHP. +* (bug 60083) Correct sequence name for fresh Postgres installation. Spotted + by gebhkla +* (bug 60531) Avoid variable naming conflicts in + DatabasePostgres::selectSQLText. Spotted by gebhkla +* (bug 60094) Fix rebuildall.php fatal error with PostgreSQL. The fix for + 47055 introduced a fatal error when running rebuildall.php. This is a + workaround suggested by gebhkla on Bugzilla. It just checks to make sure + $options is actually an array before calling array_search on it. +* (bug 43817c12) Add error handling if descriptionmsg isn't defined for + extension. +* (bug 60543) Special:PrefixIndex omits stripprefix=1 for "Next page" link. + == MediaWiki 1.22.2 == This is a security and bugfix release of the MediaWiki 1.22 branch. === Changes since 1.22.1 === -* (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats -* (bug 58253) Check for very old PCRE versions in installer and updater -* (bug 60054) Make WikiPage::$mPreparedEdit public +* (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media + formats. +* (bug 58253) Check for very old PCRE versions in installer and updater. +* (bug 60054) Make WikiPage::$mPreparedEdit public. == MediaWiki 1.22.1 == |