1 files changed, 25 insertions, 0 deletions

diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index 81405f50..0adfbe20 100644
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -1,6 +1,31 @@
 Security reminder: If you have PHP's register_globals option set, you must
 turn it off. MediaWiki will not work with it enabled.
 
+== MediaWiki 1.26.1 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.0 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_equals() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
+* Fixed stray literal \n in Special:Search.
+* Fix issue that breaks HHVM Repo Authorative mode.
+* (T120267) Work around APCu memory corruption bug
+
 == MediaWiki 1.26 ==
 
 === Configuration changes in 1.26 ===