Changelog for mediawiki-1.23.9-1.fc20.noarch.rpm :
Wed Apr 1 14:00:00 2015 Michael Cronenworth - 1.23.9-1
- Update to 1.23.9
- (bug T85848, bug T71210) SECURITY: Don\'t parse XMP blocks that contain XML entities, to prevent various DoS attacks.
- (bug T85848) SECURITY: Don\'t allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
- (bug T88310) SECURITY: Always expand xml entities when checking SVG\'s.
- (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
- (bug T85855) SECURITY: Don\'t execute another user\'s CSS or JS on preview.
- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer\'s privacy.
- (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Thu Dec 18 13:00:00 2014 Michael Cronenworth - 1.23.8-1
- Update to 1.23.8
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
- (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
- (bug T74222) The original patch for T74222 was reverted as unnecessary.

Fri Nov 28 13:00:00 2014 Michael Cronenworth - 1.23.7-1
- Update to 1.23.7
- Release notes: http://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.7

Mon Nov 3 13:00:00 2014 Michael Cronenworth - 1.23.6-1
- Update to 1.23.6
- (bug 67440) Allow classes to be registered properly from installer
- (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header

Thu Oct 2 14:00:00 2014 Michael Cronenworth - 1.23.5-1
- Update to 1.23.5
- CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
allowance.

Fri Sep 26 14:00:00 2014 Michael Cronenworth - 1.23.4-1
- Update to 1.23.4
- (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter