diff options
| author | mglaser <glaser@hallowelt.biz> | 2014-11-26 22:55:30 +0100 |
|---|---|---|
| committer | mglaser <glaser@hallowelt.biz> | 2014-11-27 02:43:38 +0100 |
| commit | c07c153196b9a26ee8cfab97539a8e9aaf3865e6 (patch) | |
| tree | 4a43b891dd72a54557db9f42f118ac4bd1ba34bd | |
| parent | c4d792821ae5b3368514e9e2279e4c843c25bc63 (diff) | |
Updated release notes and version number for MediaWiki 1.23.71.23.7
This is MediaWiki 1.23.7 security and maintenance release.
Change-Id: Ib796284fb7be80fee37652bdc9acc4e91f4d0bf9
| -rw-r--r-- | RELEASE-NOTES-1.23 | 23 | ||||
| -rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 24 insertions, 1 deletions
diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23 index b0bc0914ce8b..190fc9562efb 100644 --- a/RELEASE-NOTES-1.23 +++ b/RELEASE-NOTES-1.23 @@ -7,6 +7,29 @@ This is a security and maintenance release of the MediaWiki 1.23 branch. == Changes since 1.23.6 == +* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code + into API clients that used format=php to process pages that underwent flash + policy mangling. This was fixed along with improving how the mangling was done + for format=json, and allowing sites to disable the mangling using + $wgMangleFlashPolicy. +* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update + the content model for a page could allow an unprivileged attacker to edit + another user's common.js under certain circumstances. The user right + "editcontentmodel" was added, and is needed to change a revision's content + model. +* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw + HTML, it is not safe to preview wikitext coming from an untrusted source such + as a cross-site request. Thus add an edit token to the form, and when raw HTML + is allowed, ensure the token is provided before showing the preview. This + check is not performed on wikis that both allow raw HTML and anonymous + editing, since there are easier ways to exploit that scenario. +* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with + DELETED_ACTION. NOTICE: this may be reverted in a future release pending a + public RFC about the desired functionality. This issue was reported by user + Bawolff. +* (bug 71621) Make allowing site-wide styles on restricted special pages a + config option. +* (bug 42723) Added updated version history from 1.19.2 to 1.22.13 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index da4539472035..7e1cb435a0b1 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -73,7 +73,7 @@ $wgConfigRegistry = array( * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.23.6'; +$wgVersion = '1.23.7'; /** * Name of the site. It must be changed in LocalSettings.php |