aboutsummaryrefslogtreecommitdiffstats
path: root/RELEASE-NOTES
diff options
context:
space:
mode:
Diffstat (limited to 'RELEASE-NOTES')
-rw-r--r--RELEASE-NOTES19
1 files changed, 19 insertions, 0 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 765d76910724..d818a3201a65 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,6 +4,24 @@ Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.
+== MediaWiki 1.5 alpha 2 ==
+
+June 3, 2005
+
+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
+and a security update.
+
+Incorrect handling of page template inclusions made it possible to
+inject JavaScript code into HTML attributes, which could lead to
+cross-site scripting attacks on a publicly editable wiki.
+
+Vulnerable releases and fix:
+* 1.5 prerelease: fixed in 1.5alpha2
+* 1.4 stable series: fixed in 1.4.5
+* 1.3 legacy series: fixed in 1.3.13
+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
+
+
== MediaWiki 1.5 alpha 1 ==
May 3, 2005
@@ -242,6 +260,7 @@ Various bugfixes, small features, and a few experimental things:
* (bug 684) Accept an attribute parameter array on parser hook tags
* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
LDAP authentication plugin
+* (bug 2034) Armor HTML attributes against template inclusion and links munging
=== Caveats ===
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-21 13:03:46 +0000