diff options
author | csteipp <csteipp@wikimedia.org> | 2015-03-30 13:41:56 -0700 |
---|---|---|
committer | Chris Steipp <csteipp@wikimedia.org> | 2015-03-31 21:21:50 +0000 |
commit | 5045ffefed8c3be80975f9ca5acb53d5e08cc8fe (patch) | |
tree | f6b8107fc646bebcf1efcfec95bcaceb9ae67905 | |
parent | ced28b90e59b26c1cff08124bd572e0d4a79934e (diff) |
Updated release notes and version number for MediaWiki 1.24.21.24.2
Change-Id: I23a46373bf2c9c173fb1807d5ff68ecf5a623de9
-rw-r--r-- | RELEASE-NOTES-1.24 | 13 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 13 insertions, 2 deletions
diff --git a/RELEASE-NOTES-1.24 b/RELEASE-NOTES-1.24 index 500c47ca412c..43ba2876ebae 100644 --- a/RELEASE-NOTES-1.24 +++ b/RELEASE-NOTES-1.24 @@ -3,10 +3,21 @@ turn it off. MediaWiki will no longer work with it enabled. == MediaWiki 1.24.2 == -This is a not yet released maintenance release of the MediaWiki 1.24 branch. +This is a security and maintenance release of the MediaWiki 1.24 branch. == Changes since 1.24.1 == +* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities, + to prevent various DoS attacks. +* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce + likelihood of DoS. +* (T88310) SECURITY: Always expand xml entities when checking SVG's. +* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. +* (T85855) SECURITY: Don't execute another user's CSS or JS on preview. +* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when + using PBKDF2. +* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to + prevent XSS and protect viewer's privacy. * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false. * (bug T70087) Fix Special:ActiveUsers page for installations using diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 96d0648d47bc..aad42aacf768 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -75,7 +75,7 @@ $wgConfigRegistry = array( * Using single quotes is, therefore, important here. * @since 1.2 */ -$wgVersion = '1.24.1'; +$wgVersion = '1.24.2'; /** * Name of the site. It must be changed in LocalSettings.php |