with
class=\"mw-parser-output\" by default. This may be changed or disabled using
the new \'wrapoutputclass\' parameter.

* When errorformat is not \'bc\', abort reasons from action=login will be
formatted as specified by the error formatter parameters.

* action=compare can now handle arbitrary text, deleted revisions, and
returning users and edit comments.

* (T164106) The \'rvdifftotext\', \'rvdifftotextpst\', \'rvdiffto\',
\'rvexpandtemplates\', \'rvgeneratexml\', \'rvparse\', and \'rvprop=parsetree\'
parameters to prop=revisions are deprecated, as are the similarly named
parameters to prop=deletedrevisions, list=allrevisions, and
list=alldeletedrevisions. Use action=compare, action=parse, or
action=expandtemplates instead.
And sereral other changes

Tue Nov 21 13:00:00 2017 ecsosAATTopensuse.org
- Update to version 1.29.2
This is a security and maintenance release
of the MediaWiki 1.29 branch.
Changes since 1.29.1

* (T166757) Avoid scoped lock errors in Category::refreshCounts()
due to nesting.

* (T175439) Unbreak Postgres Updater when setting defaults for
a column.

* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.

* Fixed login button label to accept RawMessage.

* Fixed case of SpecialRecentChanges class usage.

* (T174255) Declare uploadCount property in importDump.php.

* (T163646) Pass a string not an int to mysql_real_escape_string().

* (T180143) Bump justinrainbow/json-schema development dependency
to ~5.2.

* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.

* (T178451) SECURITY: Potential XSS when
$wgShowExceptionDetails = false and browser sends non-standard
url escaping. (CVE-2017-8808)

* (T165846) SECURITY: BotPassword login attempts weren\'t
throttled.

* (T128209) SECURITY: Reflected File Download from api.php.
(CVE-2017-8809)

* (T134100) SECURITY: Do not reveal if user exists during login
failure. (CVE-2017-8810)

* (T176247) SECURITY: Ensure Message::rawParams can\'t lead to XSS.
(CVE-2017-8811)

* (T125163) SECURITY: Make anchor for headlines escape > and <.
(CVE-2017-8812)

* (T180237) SECURITY: Protect vendor folder with .htaccess.

* (T180231) SECURITY: Remove PHPUnit file with known RCE if
exists in update.php.

* (T124404) SECURITY: XSS in langconverter when regex hits
pcre.backtrack_limit. (CVE-2017-8814)

* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
(CVE-2017-8815)

* (T180488) (T125177) \"api.log contains passwords in plaintext\"
wasn\'t correctly fixed in all branches in the previous security
release. (CVE-2017-0361)

Thu Oct 12 14:00:00 2017 jweberhoferAATTweberhofer.at
- Require php-openssl instead of php-mcrypt
- Update to version 1.29.1. Changelog: https://www.mediawiki.org/wiki/MediaWiki_1.29
Configuration changes

* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days. $wgUserEmailUseReplyTo is now true by
default to work around restrictive DMARC policies.

* Subpages are now enabled by default in the Template namespace.
New features

* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous
edits from certain IP ranges (e.g. private IPs). Added new magic word
{{PAGELANGUAGE}} which returns the language code of the page being parsed. (bug
T59603)

* Users can now be assigned to user groups for a limited period of time. See
the help page for more information.
Action API changes

* Submitting sensitive authentication request parameters to
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.

* The capture option for action=resetpassword has been removed
action=clearhasmsg now requires a POST.

* (task T47843) API errors and warnings may be requested in non-English
languages using the new errorformat, errorlang, and errorsuselocal
parameters.

* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.

* action=emailuser may return a \"Warnings\" status, and now returns \'warnings\'
and \'errors\' subelements (as applicable) instead of \'message\'.

* action=imagerotate returns an \'errors\' subelement rather than errormessage.

* action=move now reports errors when moving the talk page as an array under
key talkmove-errors, rather than using talkmove-error-code and
talkmove-error-info. The format for subpage move errors has also changed.

* action=revisiondelete no longer includes a \"rendered\" property on warnings
and errors for each item. Use errorformat=wikitext if you\'re wanting parsed
output.

* action=rollback no longer returns a messageHtml property. Use
errorformat=html if you\'re wanting HTML formatting of error messages.

* action=upload now reports optional stash failures as an array under key
\'stasherrors\' rather than a \'stashfailed\' text string.

* action=watch reports \'errors\' and \'warnings\' instead of a single \'error\',
and no longer returns a \'message\' on success.

* Added action=validatepassword to validate passwords for the account
creation and password change forms.
Action API internal changes

* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:

* ApiBase::dieUsage() was deprecated
- ApiBase::dieUsageMsg() was deprecated
- ApiBase::dieUsageMsgOrDebug() was deprecated
- ApiBase::getErrorFromStatus() was deprecated
- ApiBase::parseMsg() was deprecated
- ApiBase::setWarning() was deprecated

* ApiBase::$messageMap is no longer public. Code attempting to access it will

* result in a PHP fatal error.

* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.

* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things
that catch only UsageException to still function properly.
If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.

* ApiMessageTrait::getApiCode() now strips \'apierror-\' and \'apiwarn-\'
prefixes from the message key, and maps some message keys for backwards
compatibility.
Languages updated

* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded.

* No fallback for Ukrainian

* (task T39314) The fallback from Ukrainian to Russian was removed. The
Ukrainian language will now use the default fallback language: English.
When a translation to Ukrainian is not available, an English string will
be shown.
Other changes

* wiki.phtml entry point was removed. Refer to index.php instead. If you want \"wiki.phtml\" URLs to continue to work, set up redirects.

Mon May 15 14:00:00 2017 ecsosAATTopensuse.org
- update to 1.28.2
This is a security release of the MediaWiki 1.28 branch.
Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did
not contain the fix for SyntaxHighlight_GeSHi.
This new release does contain that fix.
- update to 1.28.1
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.0 ===

* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.

* Fix fatal from \"WaitConditionLoop\" not being found, experienced when a wiki has
more than one database server setup.

* (T152717) Better escaping for PHP mail() command,

* (T154670) A missing method causing the MySQL installer to fatal in rare
circumstances was restored.

* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.

* (T158766) Avoid SQL error on MSSQL when using selectRowCount().

* (T145635) Fix too long index error when installing with MSSQL.

* (T156184) $wgRawHtml will no longer apply to internationalization messages.

* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.

* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.

* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.

* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.

* (T125177) SECURITY: API parameters may now be marked as \"sensitive\" to keep
their values out of the logs.

* (T150044) SECURITY: \"Mark all pages visited\" on the watchlist now requires a CSRF
token.

* (T156184) SECURITY: Escape content model/format url parameter in message.

* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.

* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it\'s fallback chain when trying to work out where to write the cache.

* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax\'s link parameter.

* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.

Mon Jan 9 13:00:00 2017 ecsosAATTopensuse.org
- update to 1.28.0
=== Breaking changes ===

* Magic links are now disabled by default. They can be enabled by
changing the value of $wgEnableMagicLinks. It has been proposed
to remove magic link functionality from MediaWiki in a future
release, if you depend upon or use them it is requested that you
comment at Requests for comment/Future of magic links.
=== Changes since 1.28.0rc0 ===

* (T142210) The changes to move the parser \"NewPP limit report\" from a HTML
comment to a machine-readable JavaScript config option \'wgPageParseReport\'
have been undone. They caused the human-readable limit report to be shown
incompletely or not at all. ParserOutput::setLimitReportData() and
getLimitReportData() behave as they did in MediaWiki 1.27 again.

* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
the text of subheadings on a category page when creating it. This wasn\'t
working correctly.

* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
canonical pretty URL when a non-pretty URL is used. It resulted in redirect
loops in some clients and in some server configurations. This undoes a change
made in MediaWiki 1.26.

* (T149759) manifest_version: 2 was removed.
=== Configuration changes in 1.28 ===

* $wgSend404Code now affects status code of action=history if the page is not there.

* BREAKING CHANGE: $wgHTTPProxy is now
*required
* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.

* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user\'s language. If such access is attempted, an exception will be thrown.

* The number of internal PBKDF2 iterations used to derive the session secret
is configurable via $wgSessionPbkdf2Iterations.

* Upload dialog\'s file upload log comment can now be configured separately for
local and foreign uploads.

* $wgForeignUploadTargets now defaults to `[ \'local\' ]`, where `\'local\'`
signifies local uploads. A value of `[]` (empty array) now means that
no upload targets are allowed, effectively disabling the upload dialog.

* The deprecated $wgEditEncoding variable has been removed; it was only used
for Esperanto language character conversion. You are now recommended to use
input methods provided by the UniversalLanguageSelector extension.

* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.

* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
to store-to-database-and-show-to-others as \"Publish page\"/\"Publish changes\";
if false, the default, they will be \"Save page\"/\"Save changes\".

* The \'editcontentmodel\' permission is now granted to all logged-in users (\'user\').
instead of just administrators (\'sysop\'). Documentation for this feature is
available at .

* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.

* Magic links are now disabled by default, and can be re-enabled by modifying the value
of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
a tracking category will be added to help identify usage and make it easier to migrate
away from. If you depend upon magic link functionality, it is requested that you comment
on and
explain your use case(s).

* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
in upcoming Content-Security-Policy feature\'s reporting.
=== New features in 1.28 ===

* User::isBot() method for checking if an account is a bot role account.

* Added a new \'slideshow\' mode for galleries.

* Added a new hook, \'UserIsBot\', to aid in determining if a user is a bot.

* Added a new hook, \'ApiMakeParserOptions\', to allow extensions to better
interact with API parsing.

* Added a new hook, \'UploadVerifyUpload\', which can be used to reject a file
upload. Unlike \'UploadVerifyFile\' it provides information about upload comment
and the file description page, but does not run for uploads to stash.

* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.

* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
to \'uca-default-u-kn\' or \'uca--u-kn\'. If you can\'t use UCA collations,
a \'numeric\' collation is also available. If migrating from another
collation, you will need to run the updateCollation.php maintenance script.

* Two new codes have been added to #time parser function: \"xit\" for days in current
month, and \"xiz\" for days passed in the year, both in Iranian calendar.

* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
appropriate for sending multi-valued parameters. This defaults to true when
the mw.Api instance seems to be for the local wiki.

* After a client performs an action which alters a database that has replica databases,
MediaWiki will wait for the replica databases to synchronize with the master database
while it renders the HTML output. However, if the output is a redirect to another wiki
on the wiki farm with a different domain, MediaWiki will instead alter the redirect
URL to include a ?cpPosTime parameter that triggers the database synchronization when
the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.

* Added new hooks, \'ApiQueryBaseBeforeQuery\', \'ApiQueryBaseAfterQuery\', and
\'ApiQueryBaseProcessRow\', to make it easier for extensions to add \'prop\' and
\'show\' parameters to existing API query modules.
=== External library changes in 1.28 ===
==== Upgraded external libraries ====

* Updated es5-shim from v4.1.5 to v4.5.8

* Updated composer/semver from v1.4.1 to v1.4.2

* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
==== New external libraries ====

* Added wikimedia/scoped-callback v1.0.0

* Added wikimedia/wait-condition-loop v1.0.1
=== Bug fixes in 1.28 ===

* (T146496) action=history pages should return 404 HTTP error code if the page does not exist

* (T137264) SECURITY: XSS in unclosed internal links

* (T133147) SECURITY: Escape \'<\' and \']]>\' in inline