On 11/26/14, Markus Glaser <gla...@hallowelt.biz> wrote: > Hello everyone, > > I would like to announce the release of MediaWiki 1.23.7, 1.22.14 and > 1.19.22. This is a regular security and maintenance release. Download links > are given at the end of this email. > > == Security fixes == > * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject > code into API clients that used format=php to process pages that underwent > flash policy mangling. This was fixed along with improving how the mangling > was done for format=json, and allowing sites to disable the mangling using > $wgMangleFlashPolicy. > <https://phabricator.wikimedia.org/T68776> > <https://phabricator.wikimedia.org/T73478> > > * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update > the content model for a page could allow an unprivileged attacker to edit > another user's common.js under certain circumstances. The user right > "editcontentmodel" was added, and is needed to change a revision's content > model. > <https://phabricator.wikimedia.org/T72901> > > * (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow > raw HTML, it is not safe to preview wikitext coming from an untrusted source > such as a cross-site request. Thus add an edit token to the form, and when > raw HTML is allowed, ensure the token is provided before showing the > preview. This check is not performed on wikis that both allow raw HTML and > anonymous editing, since there are easier ways to exploit that scenario. > <https://phabricator.wikimedia.org/T73111> > > * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted > with DELETED_ACTION. NOTICE: this may be reverted in a future release > pending a public RFC about the desired functionality. This issue was > reported by user Bawolff. > <https://phabricator.wikimedia.org/T74222> > > > == Bugfixes == > * (bug 71621) Make allowing site-wide styles on restricted special pages a > config option. > <https://phabricator.wikimedia.org/T73621> > > * (bug 42723) Added updated version history from 1.19.2 to 1.22.13 > <https://phabricator.wikimedia.org/T44723> > > * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything > that might be a flash policy directive configurable. > > Full release notes for 1.23.7: > <https://www.mediawiki.org/wiki/Release_notes/1.23> > > Full release notes for 1.22.14: > <https://www.mediawiki.org/wiki/Release_notes/1.22> > > Full release notes for 1.19.22: > <https://www.mediawiki.org/wiki/Release_notes/1.19> > > Public keys: > <https://www.mediawiki.org/keys/keys.html> > > ********************************************************************** > 1.23.7 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.7.tar.gz > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.7.tar.gz > > Patch to previous version (1.23.6): > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.7.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.7.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.7.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.7.patch.gz.sig > > > ********************************************************************** > 1.22.14 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.14.tar.gz > > Patch to previous version (1.22.13): > https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.14.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.14.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.14.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.14.patch.gz.sig > > > ********************************************************************** > 1.19.22 > ********************************************************************** > Download: > https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.22.tar.gz > > Patch to previous version (1.19.21): > https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.22.patch.gz > > GPG signatures: > https://releases.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.22.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.22.tar.gz.sig > https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.22.patch.gz.sig > > Mark Hershberger and Markus Glaser > (Wiki Release Team) > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Several of these bugs are still marked as security restricted. Now that the release has been made, can they be made public? --bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l