Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
-== MediaWiki 1.17.1 ==
+== MediaWiki 1.17.4 ==
+2012-04-25
-2011-11-24
-
-This a maintenance and security release of the MediaWiki 1.17 branch.
-
-=== Security changes ===
-* (bug 32276) Skins were generating output using the internal page title which
- would allow anonymous users to determine wheter a page exists, potentially
- leaking private data. In fact, the curid and oldid request parameters would
- allow page titles to be enumerated even when they are not guessable.
-* (bug 32616) action=ajax requests were dispatched to the relevant internal
- functions without any read permission checks being done. This could lead to
- data leakage on private wikis.
+This a maintenance of the MediaWiki 1.17 branch.
=== Summary of selected changes in 1.17 ===
* The lowest supported version of PHP is now 5.2.3. If necessary, please
upgrade PHP prior to upgrading MediaWiki.
+=== Changes since 1.17.3 ===
+
+* (bug 35961) Hash comparison should always be strict.
+* Fix broken email confirmation expiration caused by MWCryptRand changes.
+* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php
+ on line 598.
+
+=== Changes since 1.17.2 ===
+
+* (bug 22555) Remove or skip strip markers from tag hooks like <nowiki> in
+ core parser functions which operate on strings, such as padleft.
+* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token
+ parameter present.
+* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated
+ CSRF attacks.
+* (bug 35317) CSRF in Special:Upload.
+
+=== Changes since 1.17.1 ===
+* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.
+* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
+
=== Changes since 1.17.0 ===
* (bug 29535) Added missing Creative Commons CC0 icon.
* (bug 30907) Special:Unusedcategories should sort ascendingly.
* (bug 30219) The page shown when LocalSettings.php does not exist was broken on
Windows servers.
+* Hardcoded NLS_NUMERIC_CHARACTERS for Oracle DB to prevent type conversion errors.
+* Fixed recentchanges FK violation on page delete and cache purge error in updater
+ for Oracle DB.
+* (bug 32276) Skins were generating output using the internal page title which
+ would allow anonymous users to determine wheter a page exists, potentially
+ leaking private data. In fact, the curid and oldid request parameters would
+ allow page titles to be enumerated even when they are not guessable.
+* (bug 32616) action=ajax requests were dispatched to the relevant internal
+ functions without any read permission checks being done. This could lead to
+ data leakage on private wikis.
=== Changes since 1.17.0rc1 ===