diff options
author | Chad Horohoe <chadh@wikimedia.org> | 2015-12-17 15:00:41 -0800 |
---|---|---|
committer | Chad Horohoe <chadh@wikimedia.org> | 2015-12-17 16:31:45 -0800 |
commit | f05a87cc536c5e74dc15d57c6da5244d70d37aaa (patch) | |
tree | 66d483c0e1a3540251380f0d7f70106801b86d39 | |
parent | f30f2e1852162142b63ce4c21bcc09e589f127e4 (diff) |
1.23.12: Prep release notes and bump version number1.23.12
Change-Id: Ide4863e1b864db818f0469ee4367e87318b48b87
-rw-r--r-- | RELEASE-NOTES-1.23 | 21 | ||||
-rw-r--r-- | includes/DefaultSettings.php | 2 |
2 files changed, 22 insertions, 1 deletions
diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23 index d2fb77c54790..5c2ae8a7672e 100644 --- a/RELEASE-NOTES-1.23 +++ b/RELEASE-NOTES-1.23 @@ -1,6 +1,27 @@ Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.23.12 == + +This is a security and maintenance release of the MediaWiki 1.23 branch. + +== Changes since 1.23.11 == +* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths + that do not begin with a slash. This enabled trivial XSS attacks. + Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are + "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an + error. +* (T119309) SECURITY: Use hash_compare() for edit token comparison +* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting + with '@' as file uploads +* (T115522) SECURITY: Passwords generated by User::randomPassword() can no + longer be shorter than $wgMinimalPasswordLength +* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could + result in improper blocks being issued +* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions + and related pages no longer use HTTP redirects and are now redirected by + MediaWiki + == MediaWiki 1.23.11 == This is a security and maintenance release of the MediaWiki 1.23 branch. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index b8f11640f947..7011d6de8d73 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -73,7 +73,7 @@ $wgConfigRegistry = array( * MediaWiki version number * @since 1.2 */ -$wgVersion = '1.23.11'; +$wgVersion = '1.23.12'; /** * Name of the site. It must be changed in LocalSettings.php |