diff options
Diffstat (limited to 'RELEASE-NOTES-1.25')
-rw-r--r-- | RELEASE-NOTES-1.25 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25 index 08a6c157..179c2123 100644 --- a/RELEASE-NOTES-1.25 +++ b/RELEASE-NOTES-1.25 @@ -1,6 +1,31 @@ Security reminder: If you have PHP's register_globals option set, you must turn it off. MediaWiki will not work with it enabled. +== MediaWiki 1.25.4 == + +This is a security and maintenance release of the MediaWiki 1.25 branch. + +=== Changes since 1.25.3 === +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_equals() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki +* (T103237) $wgUseGzip had no effect when using file cache. +* (T114606) mw.notify was not correctly fixed to the page if + initialized while not at the top of the page. +* Fix issue that breaks HHVM Repo Authorative mode. + == MediaWiki 1.25.3 == This is a security and maintenance release of the MediaWiki 1.25 branch. |