diff options
author | Reedy <reedy@wikimedia.org> | 2020-09-24 15:03:37 +0100 |
---|---|---|
committer | Reedy <reedy@wikimedia.org> | 2020-09-24 15:13:35 +0100 |
commit | 65f487580491f9c8154570f4da9d9a168f0ac625 (patch) | |
tree | 50b8b771f99c6928c9d925f8a58388fddb05f1bd | |
parent | 95265bbba70dcf48d221118860e6ef958e0902b1 (diff) |
Prep 1.31.91.31.9
Change-Id: I83302334eff4210bff297cf0d2a18ea4a98e35f4
-rw-r--r-- | RELEASE-NOTES-1.31 | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 1ca98a5ffaf1..8024d2ab8274 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -1,6 +1,6 @@ == MediaWiki 1.31.9 == -THIS IS NOT A RELEASE YET +This is a security and maintenance release of the MediaWiki 1.31 branch. === Changes since MediaWiki 1.31.8 === * In the web installer, use secure session cookies. @@ -25,15 +25,16 @@ THIS IS NOT A RELEASE YET * (T258390) Add CentralIdLookup::factoryNonLocal(). * (T246991) User: Fix pingLimiter() to use makeGlobalKey() for global rate limits. -* (T251661) User::pingLimiter: add user-global rate limit type. +* (T251661, CVE-2020-25827) SECURITY: User::pingLimiter: add user-global rate + limit type. * (T246991) User: enforce pingLimiter() expiry time. * (T260232) don't include null page ids in query list for category dumps. * (T251506) Sanitizer: Truncate IDs to a reasonable length. * Explicitly wrap some XML calls in libxml_disable_entity_loader(). * (T263455 T247285) Set EnableJavaScriptTest to true in includes/DevelopmentSettings.php. -* (T232568) SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden - users. +* (T232568, CVE-2020-25813) SECURITY: Special:UserRights exposes the existence + of hidden users. * (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking firejail's --output functionality. * (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and |