Path to this page:
Subject: CVS commit: pkgsrc/www/mediawiki
From: Wen Heping
Date: 2017-11-19 09:36:57
Message id: 20171119083657.BD0E5FB3F@cvs.NetBSD.org
Log Message:
Update to 1.29.2
Upstream changes:
MediaWiki 1.29.2
This is a security and maintenance release of the MediaWiki 1.29 branch.
Changes since 1.29.1
(T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
(T175439) Unbreak Postgres Updater when setting defaults for a column.
(T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
Fixed login button label to accept RawMessage.
Fixed case of SpecialRecentChanges class usage.
(T174255) Declare uploadCount property in importDump.php.
(T163646) Pass a string not an int to mysql_real_escape_string().
(T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
(T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and \
browser sends non-standard url escaping.
(T165846) SECURITY: BotPassword login attempts weren't throttled.
(T128209) SECURITY: Reflected File Download from api.php.
(T134100) SECURITY: Do not reveal if user exists during login failure.
(T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
(T125163) SECURITY: Make anchor for headlines escape > and <.
(T180237) SECURITY: Protect vendor folder with .htaccess.
(T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
(T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
(T119158) SECURITY: Handle -{}- syntax in attributes safely.
(T180488) (T125177) "api.log contains passwords in plaintext" \
wasn't correctly fixed in all branches in the previous security release.
Files: