diff options
author | mglaser <glaser@hallowelt.biz> | 2014-12-17 18:59:36 +0100 |
---|---|---|
committer | mglaser <glaser@hallowelt.biz> | 2014-12-17 20:02:23 +0100 |
commit | bdef20f09020fe20f2faf120687736b59b36bdeb (patch) | |
tree | 23864a20a665d3c39676723f7dbf05a68fd1ab17 | |
parent | a1243a096678c4c9503eb8d498d576cff6192f1e (diff) |
Updated release notes and version number to MediaWiki 1.22.151.22.15
This is MediaWiki 1.22.15 security and maintenance release.
Change-Id: I78610330a795b28548192c90c1bf5d46de775963
-rw-r--r-- | RELEASE-NOTES-1.22 | 14 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 20c19471370a..9d10f22215a7 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -3,6 +3,20 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.22.15 == + +This is a security and maintenance release of the MediaWiki 1.22 branch. + +=== Changes since 1.22.14 === + +* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which + could lead to xss. Permission to edit MediaWiki namespace is required to + exploit this. +* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in + $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as + part of its name. +* (bug T74222) The original patch for T74222 was reverted as unnecessary. + == MediaWiki 1.22.14 == This is a security and maintenance release of the MediaWiki 1.22 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 6feac36b986a..7856810769c3 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -63,7 +63,7 @@ $wgConf = new SiteConfiguration; * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.22.14'; +$wgVersion = '1.22.15'; /** * Name of the site. It must be changed in LocalSettings.php |