diff options
Diffstat (limited to 'RELEASE-NOTES')
| -rw-r--r-- | RELEASE-NOTES | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5115778e..4876d79b 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,6 +3,24 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it *off* if you can. +== MediaWiki 1.11.2 == + +March 2, 2008 + +This is a security release of the Fall 2007 snapshot release of MediaWiki. +Possible cross-site information leaks using the callback parameter for +JSON-formatted results in the API are prevented by dropping user credentials. + +MediaWiki release versions prior to 1.11 are not vulnerable, as they do +not include the callback feature which allows client-side JavaScript on +other sites to reach API data. + +Changes in this release: + +* User credentials are dropped for API JSON requests using a callback +* Edit tokens are not reported for API JSON requests using a callback + + == MediaWiki 1.11.1 == January 23, 2008 |