diff options
author | Chad Horohoe <chadh@wikimedia.org> | 2015-12-17 15:04:46 -0800 |
---|---|---|
committer | Chad Horohoe <chadh@wikimedia.org> | 2015-12-17 16:33:20 -0800 |
commit | 42e1e5586fac1548705bbcb984d22c57992ea748 (patch) | |
tree | b57cf7af270e555a933e05f58d8fc201906b8739 | |
parent | d0d287546e242e9489d13d0b51caf73516f307d4 (diff) |
1.24.5: Prep release notes and bump version number1.24.5
Change-Id: I9fd74dc86f54d33f20e39d4b9f6c9f667c44b9ba
-rw-r--r-- | RELEASE-NOTES-1.24 | 18 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 17 insertions, 3 deletions
diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24 index f8713d0220fd..3dc97612abe3 100644 --- a/RELEASE-NOTES-1.24 +++ b/RELEASE-NOTES-1.24 @@ -3,10 +3,24 @@ turn it off. MediaWiki will no longer work with it enabled. == MediaWiki 1.24.5 == -THIS IS NOT YET A RELEASE! +This is a security and maintenance release of the MediaWiki 1.23 branch. == Changes since 1.24.4 == - +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki * (T103237) $wgUseGzip had no effect when using file cache. == MediaWiki 1.24.4 == diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index e58c051d5eb5..0b049a38a76d 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -75,7 +75,7 @@ $wgConfigRegistry = array( * Using single quotes is, therefore, important here. * @since 1.2 */ -$wgVersion = '1.24.4'; +$wgVersion = '1.24.5'; /** * Name of the site. It must be changed in LocalSettings.php |