X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/mediawiki.git/blobdiff_plain/18a6620945d02687fbcfc4c27355d952fd748b41..19e297c21b10b1b8a3acad5e73fc71dcb35db44a:/RELEASE-NOTES diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6d288307..05c00206 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -3,11 +3,10 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it '''off''' if you can. -== MediaWiki 1.17.0 == +== MediaWiki 1.17.4 == +2012-04-25 -2011-06-22 - -This is the first stable release of the MediaWiki 1.17 branch. +This a maintenance of the MediaWiki 1.17 branch. === Summary of selected changes in 1.17 === @@ -36,6 +35,68 @@ Selected changes since MediaWiki 1.16 that may be of interest: * The lowest supported version of PHP is now 5.2.3. If necessary, please upgrade PHP prior to upgrading MediaWiki. +=== Changes since 1.17.3 === + +* (bug 35961) Hash comparison should always be strict. +* Fix broken email confirmation expiration caused by MWCryptRand changes. +* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php + on line 598. + +=== Changes since 1.17.2 === + +* (bug 22555) Remove or skip strip markers from tag hooks like <nowiki> in + core parser functions which operate on strings, such as padleft. +* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token + parameter present. +* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated + CSRF attacks. +* (bug 35317) CSRF in Special:Upload. + +=== Changes since 1.17.1 === +* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution. +* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login. + +=== Changes since 1.17.0 === + +* (bug 29535) Added missing Creative Commons CC0 icon. +* (bug 29726) Fixed failure to load internationalization messages in + client-side scripts on WebKit-based browsers. +* Fixed a bug in message transformation where the previous language could leak + into later transformations in the UI language. +* (bug 29091) Fixed form of native name for Ossetic language (Иронау -> Ирон) +* Fixed maintenance scripts upgrade1_5.php and rebuildImages.php, they did not + work at all since 1.17 beta 1. +* (bug 29531) Fixed img_auth.php for thumbnails and other filenames with + multiple dots, was broken by the fix for bug 28840. +* In the maintenance script purgeList.php, fixed a fatal error when a page + title is given, instead of a URL. +* (bug 19514) Unordered list list-style-image should be IE6-compatible (8-bit). +* Installer checked for magic_quotes_runtime instead of register_globals. +* $wgSVGMaxSize is now applied to the smaller of width or height, making very + wide pano/timeline/diagram SVGs renderable at saner sizes. +* (bug 29959) Installer fatal when cURL and allow_url_fopen is disabled and user + tries to subsribe to mediawiki-announce. +* Installer checked for magic_quotes_runtime instead of register_globals +* (bug 30131) XCache with variable caching disabled no longer used for variable + caching (CACHE_ACCEL) +* (bug 30264) Changed installer-generated LocalSettings.php to use require_once() + instead require() for included extensions. +* (bug 26486) ResourceLoader modules with paths to nonexistent files cause PHP + warnings/notices to be thrown +* (bug 30907) Special:Unusedcategories should sort ascendingly. +* (bug 30219) The page shown when LocalSettings.php does not exist was broken on + Windows servers. +* Hardcoded NLS_NUMERIC_CHARACTERS for Oracle DB to prevent type conversion errors. +* Fixed recentchanges FK violation on page delete and cache purge error in updater + for Oracle DB. +* (bug 32276) Skins were generating output using the internal page title which + would allow anonymous users to determine wheter a page exists, potentially + leaking private data. In fact, the curid and oldid request parameters would + allow page titles to be enumerated even when they are not guessable. +* (bug 32616) action=ajax requests were dispatched to the relevant internal + functions without any read permission checks being done. This could lead to + data leakage on private wikis. + === Changes since 1.17.0rc1 === * Fixed syntax error in generated LocalSettings.php when a non-default user @@ -49,6 +110,10 @@ Selected changes since MediaWiki 1.16 that may be of interest: redirect. * (bug 29408) Fixed uploads of files with MIME types that aren't detected by MediaWiki. +* Removed DEFAULT '' NOT NULL field definitions from Oracle DB schema because + using the DEFAULT value ('') in DML broke Oracle backend as it treats an + empty VARCHAR2 value as NULL. Indexes on Oracle do not require NOT NULL + fields. === Changes since 1.17 beta 1 ===