Subject: CVS commit: [pkgsrc-2017Q1] pkgsrc/www/mediawiki
From: S.P.Zeidler
Date: 2017-04-09 19:55:03
Message id: 20170409175503.A1E2AFBE4@cvs.NetBSD.org

Log Message:
Pullup ticket #5257 - requested by wen
www/mediawiki: security update

Revisions pulled up:
- www/mediawiki/Makefile                                        1.64
- www/mediawiki/PLIST                                           1.31
- www/mediawiki/distinfo                                        1.49

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   wen
   Date:           Sun Apr  9 01:26:46 UTC 2017

   Modified Files:
           pkgsrc/www/mediawiki: Makefile PLIST distinfo

   Log Message:
   Update to 1.18.1

   Upstream changes:
   MediaWiki 1.28.1
   Changes since 1.28.0

       $wgRunJobsAsync is now false by default (T142751). This change
   only affects wikis with $wgJobRunRate > 0.
       Fix fatal from "WaitConditionLoop" not being found, experienced
   when a wiki has more than one database server setup.
       (T152717) Better escaping for PHP mail() command
       (T154670) A missing method causing the MySQL installer to fatal in
   rare circumstances was restored.
       (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
       (T158766) Avoid SQL error on MSSQL when using selectRowCount()
       (T145635) Fix too long index error when installing with MSSQL
       (T156184) $wgRawHtml will no longer apply to internationalization messages.
       (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator
   is installed.
       (T154872) Fix incorrect ar_usertext_timestamp index names in new
   1.28 installs.
       (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search
   allow redirect to interwiki links.
       (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
   $wgAdvancedSearchHighlighting is true.
       (T125177) SECURITY: API parameters may now be marked as
   "sensitive" to keep their values out of the logs.
       (T150044) SECURITY: "Mark all pages visited" on the watchlist now
   requires a CSRF token.
       (T156184) SECURITY: Escape content model/format url parameter in message.
       (T151735) SECURITY: SVG filter evasion using default attribute
   values in DTD declaration.
       (T161453) SECURITY: LocalisationCache will no longer use the
   temporary directory in it's fallback chain when trying to work out
   where to write the cache.
       (T48143) SECURITY: Spam blacklist ineffective on encoded URLs
   inside file inclusion syntax's link parameter.

   To generate a diff of this commit:
   cvs rdiff -u -r1.63 -r1.64 pkgsrc/www/mediawiki/Makefile
   cvs rdiff -u -r1.30 -r1.31 pkgsrc/www/mediawiki/PLIST
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/www/mediawiki/distinfo

Files:
RevisionActionfile
1.62.4.1modifypkgsrc/www/mediawiki/Makefile
1.30.4.1modifypkgsrc/www/mediawiki/PLIST
1.48.4.1modifypkgsrc/www/mediawiki/distinfo