Changelog for
mediawiki-1.27.0-66.1.noarch.rpm :
Thu Jul 7 14:00:00 2016 jweberhoferAATTweberhofer.at
- Improved dependencies
Tue Jul 5 14:00:00 2016 jweberhoferAATTweberhofer.at
- Update to version 1.27.0
- Breaking changes:
* MediaWiki now requires at least PHP 5.5.9. This corresponds with HHVM 3.1.
* Note that this new branch brought breaking changes to a number of extensions,
many of which have not been updated yet.
* If the openssl and mcrypt PHP extensions are both unavailable, secure
session storage (used for login) will raise an exception. This exception
may be bypassed by setting $wgSessionInsecureSecrets = true;. Note that
this bypass is not recommended. It is insecure. You should not use it.
* The RandomRootPage extension has been merged into MediaWiki core. If you
have it installed, you should uninstall it.
* The ApiSandbox extension has been merged into MediaWiki core. If you have
it installed, you should uninstall it.
* AuthManager. If you\'re writing a new extension, you should definitely follow
Manual:SessionManager and AuthManager and then upgrade to 1.27 to use it. If
you are making sure an existing extension is compatible with 1.27, see the
updating tips.
- New feature:
* InstantCommons will now truly work out of the box, as long as
your users can connect to upload.wikimedia.org
- For a complete list of changes see:
https://www.mediawiki.org/wiki/Release_notes/1.27#MediaWiki_1.27.0
Fri May 20 14:00:00 2016 jweberhoferAATTweberhofer.at
- Update to version 1.26.3
* T122056: Old tokens are remaining valid within a new session
* T127114: Login throttle can be tricked using non-canonicalized usernames
* T123653: Cross-domain policy regexp is too narrow
* T123071: Incorrectly identifying http link in a\'s href attributes, due to
m modifier in regex
* T129506: MediaWiki:Gadget-popups.js isn\'t renderable
* T125283: Users occasionally logged in as different users after
SessionManager deployment
* T103239: Patrol allows click catching and patrolling of any page
* T122807: [tracking] Check php crypto primatives
* T98313: Graphs can leak tokens, leading to CSRF
* T130947: Diff generation should use PoolCounter
* T133507: Careless use of $wgExternalLinkTarget is insecure
* T132874: API action=move is not rate limited
* T110143: strip markers can be used to get around html attribute escaping
in (many?) parser tags (This fix affects both core and SyntaxHighlight_GeSHi)
* T116030: Increase pbkdf2 parameter strengths
* T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
* T126685: Globally throttle password attempts
Sun Jan 3 13:00:00 2016 ecsosAATTopensuse.org
- Update to version 1.26.2
* (T121892) Fix fatal error on some Special pages.
Fri Dec 18 13:00:00 2015 jweberhoferAATTweberhofer.at
- Update to version 1.26.1
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as \"http://my.wiki.com/wiki/$1\" are fine, as are \"/wiki/$1\". A
value such as \"$1\" or \"wiki/$1\" is not and will now throw an error
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don\'t allow cURL to interpret POST parameters starting
with \'AATT\' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and related pages no longer use HTTP redirects and are now redirected by
MediaWiki
Sat Nov 28 13:00:00 2015 jweberhoferAATTweberhofer.at
- Added a conflicts section to force installation of mediawiki-math with curren
versioning scheme.
- Update to version 1.26.0
=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes[\'email\'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
use the \'rawcontinue\' parameter to receive raw query-continue data, but the
new style is encouraged as it\'s harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The \"Signature\" button on the edit toolbar is now hidden by default
in non-talk namespaces. A new configuration variable,
$wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
the \"Signature\" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
This experimental feature was never enabled by default and is obsolete as of
MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
*
* AuthPlugin::initUser() is replaced by LocalUserCreated.
*
* AuthPlugin::updateUser() is replaced by UserLoggedIn.
*
* AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
*
* AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
*
* AuthPluginUser::isHidden() is replaced by UserIsHidden.
*
* AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
blocked users to edit their talk pages unless explicitly disabled
when they are being blocked.
=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
\"tag-
\" interface message.
* \':\' (colon) is now invalid in usernames for new accounts. Existing accounts
are not affected.
* Added a new hook, \'LogException\', to log exceptions in nonstandard ways.
* Revive the \'SpecialSearchResultsAppend\' hook which occurs after the list of
search results are rendered. The initial use case is to append a \"give us
feedback\" link beneath the search results.
* Added a new hook, \'RejectParserCacheValue\', which allows extensions to
reject an otherwise-successful parser cache lookup. The intent is to allow
extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
($wgExtendedLoginCookieExpiration) can be configured independently of the
expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
of WebP images still disabled by default. Add $wgFileExtensions[] =
\'webp\'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks \'EnhancedChangesListModifyLineData\' &
\'EnhancedChangesListModifyBlockLineData\', to modify the data used to build
lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
This corresponds to a new $wgMainWANCache setting, which defaults to using
the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
memcached and APC (if available), rather than memcached and local files.
* Added a new hook, \'RandomPageQuery\', to allow modification of the query used
by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
startup modules are no longer synchronously loaded.
* \'mediawiki.ui.button\' styles are no longer unconditionally loaded on every
page. During the deprecation period, the styles will only be loaded on pages
which contain \'mw-ui-button\' in their HTML. Starting in 1.28, the styles will
only be loaded if explicitly required.
* If search returns zero results and current search engine has a \"did you mean\"
suggestion, results for suggestion will be shown. Can be disabled by setting
$wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
from the client-side. See documentation for mw.Upload and its
subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
subclasses for more information.
== extension.json changes in 1.26 ==
* (T99344) The extension.json schema is now versioned. All extensions
and skins should set a \"manifest_version\" property corresponding to
the schema version they were written for. The only supported version
currently is \"1\".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
can now set a \"_prefix\" key to override the default of \"wg\".
* (T99084) Extensions can now specify what MediaWiki core versions they
depend upon.
* (T105236) The extension.json schema now validates custom classes in
the \"ResourceModules\" property properly.
=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.
==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.
==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a \"rel=discussion\" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
value if set to an empty string.
=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
use the \'rawcontinue\' parameter to receive raw query-continue data, but the
new style is encouraged as it\'s harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
revision ID. This usually won\'t make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random\'s rnredirect parameter is deprecated in favor of a new
rnfilterredir parameter that also allows for listing both redirects and
non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
and will honor corresponding If-None-Match and If-Modified-Since on such
requests.
=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
Last-Modified headers. The API will check these against If-None-Match and
If-Modified-Since request headers on GET requests and avoid executing the
module when appropriate.
=== Languages updated in 1.26 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Languages added:
*
* ase (American sign language), thanks to translator Icemandeaf
*
* dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
मेश सिंह बोहरा, and राम प्रसाद जोशी
*
* luz (لئری دوٙمینی / Southern Luri)
*
* olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
Ilja.mos, and Mashoi7
=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
ContentHandler, to provide a way for ApiEditPage and EditPage to check
if direct editing of content is allowed. These methods return false,
by default for the ContentHandler base class and true for TextContentHandler
and it\'s derivative classes (everything in core). For Content types that
do not support direct editing, an alternative mechanism should be provided
for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
one function. The callback can\'t be called directly any more. The callback
function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
ResourceLoaderModule::getDependencies(). Extension classes that override that
method should be updated. If they aren\'t updated, PHP Strict standards
warnings will appear when E_STRICT error reporting is enabled. Note: in the
near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
items that were stripped during parsing. It will use a fixed string instead.
This causes the parser to re-use the regular expressions it uses to search
and replace markers rather than generate novel expressions on each parse.
Re-using regular expressions will improve performance on HHVM and the
forthcoming PHP 7. The interfaces changes accompanying this change are:
- Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
- The $uniq_prefix argument for Parser::extractTagsAndParams() and the
$prefix argument for StripState::_construct() are deprecated and their
value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
mediawiki/at-ease, and are now deprecated. Callers should use
MediaWiki\\suppressWarnings() and MediaWiki\\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
instead of many optional positional arguments. Calling the constructor the old
way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
are deprecated. Applications using those can work via the OAuth
extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.
Mon Oct 19 14:00:00 2015 jweberhoferAATTweberhofer.at
Updated to security and maintenance release 1.15.3
* Wikipedia user RobinHood70 reported two issues in the chunked upload API. The
API failed to correctly stop adding new chunks to the upload when the
reported size was exceeded (T91203), allowing a malicious users to upload add
an infinite number of chunks for a single file upload. Additionally, a
malicious user could upload chunks of 1 byte for very large files,
potentially creating a very large number of files on the server\'s filesystem
(T91205).
* Internal review discovered that it is not possible to throttle file
uploads. (T91850)
* Internal review discovered a missing authorization check when removing
suppression from a revision. This allowed users with the \'viewsuppressed\'
user right but not the appropriate \'suppressrevision\' user right to
unsuppress revisions. (T95589)
* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
generated with ImageMagick contained the local file path in the image
metadata. (T108616)
* Fix having multiple callbacks for a single hook.(T98975)
* maintenance/refreshLinks.php did not always remove all links pointing to
nonexistent pages. (T107632)
* $wgEmergencyContact and $wgPasswordSender now use their default value if set
to an empty string. (T104142)
* Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was
causing an error when accessing the api help page if the mbstring PHP
extension was not installed.(T62174)
* Confirmation emails would sometimes contain invalid codes. (T105896)
* Fixed edit stash inclusion queries.(T105597)
Sun Sep 6 14:00:00 2015 jweberhoferAATTweberhofer.at
- updated to security and maintenance release 1.15.2
* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don\'t leak autoblocked IP addresses on
Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
$wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
a \"manifest_version\" property for 1.26 compatability will no longer
trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
named variable. Add an additional check that an index is defined.
Tue May 26 14:00:00 2015 jweberhoferAATTweberhofer.at
- update to release 1.25.1
MediaWiki 1.25 includes all changes released in the smaller 1.25wmf
*
software deployments to Wikimedia sites over six months, totaling
approximately 2200 changes.
* Indicators – Templates that add icons to the top right corner of the page
(and more) can be updated to use the new page status indicators feature.
* Enhanced recent changes – MediaWiki now uses by default the extended
watchlist and so called enhanced recent changes (preference \"Group changes
by page in recent changes and watchlist\"), which also received several
improvements in MediaWiki 1.24 and 1.25 (task 37785). This means that
Special:RecentChanges and Special:Watchlist show all the changes to each
page in a given day, sorted by page rather than chronologically. Changes to
each page are collapsed by default and a compact overview is shown, with
links to collated diffs and counts of each user\'s actions. Full activity
for an individual page can then be shown with a single click. Users will no
longer need to know in detail how a single change was chosen for display in
order to figure out what else may have happened to the page that day, nor
to scan a long list of non-contiguous lines on the screen in order to get a
complete picture. The change is part of MediaWiki\'s evolution towards an
interface which is more discoverable and less cluttered by default, while
equally easy to quickly access in full, with the help of JavaScript.
However, the (grouped) layout is an improvement for non-JavaScript users as
well.
* Live preview – While editing, you\'re not sure what a wikitext syntax will
produce? That\'s no longer a problem, now that live preview is no longer
experimental. By enabling the feature in your preferences, MediaWiki will
display the effect of your edits without fully reloading the page, so that
you can quickly correct any mistake.
* Import – The import tool is now much easier to use on content from a wiki
which has different namespaces than yours (e.g. because it\'s in another
language).
* Internationalization – In logging and gender support, continuing the work
in MediaWiki 1.18 and 1.19, multiple log types of Special:Log have been
migrated to the new logging system, which allows full internationalization
including word order and grammatical gender. The migration continues. See
task T26620 for a list.
Locales – The following locales have been added: अवधी, بلوچی رخشانی and
Koyraboro Senni.
* API documentation is localized and easier to access through
Special:ApiHelp.
== What\'s new for system administrators? ==
* PHP 5.3.3 is now required (from 5.3.2)
* Extensions and skins are now loaded through a new registration system
* Profiling was completely overhauled to use the xhprof module.
Full release notes:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_25/RELEASE-NOTES-1.25
https://www.mediawiki.org/wiki/Release_notes/1.25
Wed Apr 1 14:00:00 2015 jweberhoferAATTweberhofer.at
- update to security release 1.24.2
- iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
- MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
- MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki\'s Html class, in combination with
LanguageConverter substitutions.
- Internal review discovered that MediaWiki\'s SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes
from Beyond Security.
- iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
MediaWiki now detects and mitigates this issue on older versions of HHVM.
- Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since
1.24) are vulnerable to DoS attacks using extremely long passwords.
- iSEC Partners discovered that MediaWiki\'s SVG and XMP parsing, running
under HHVM, was susceptible to \"Billion Laughs\" DoS attacks
(iSEC-WMF1214-13).
- Internal review found that MediaWiki is vulnerable to \"Quadratic Blowup\"
DoS attacks, under both HHVM and Zend PHP.
- iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
the SVG.
- iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user\'s custom JavaScript could be abused for privilege
escalation (iSEC-WMF1214-10). This feature has been removed.
Additionally, the following extensions have been updated to fix security
issues:
- Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were not sanitized in Lua error backtraces, which could lead to XSS.
- Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to
look up sensitive information about other users (iSEC-WMF1214-6). Since the
use of CheckUser is logged, the CSRF could be abused to defame a trusted
user or flood the logs with noise.
Additiona bug fixes:
- Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
fix loading these special pages when $wgAutoloadAttemptLowercase is false.
- (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
change and running update.php to fix.
- (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
Sat Jan 17 13:00:00 2015 ecsosAATTopensuse.org
- Upgraded to security release 1.24.1
* Fix case of SpecialAllPages/SpecialAllMessages in
SpecialPageFactory to fix loading these special pages when
$wgAutoloadAttemptLowercase is false.
* (bug T70087) Fix Special:ActiveUsers page for installations
using PostgreSQL.
Wed Jan 14 13:00:00 2015 jweberhoferAATTweberhofer.at
- Modified update-script to include vector-skin in LocalSettings.php by
default or to move vector-skins location when updating from older
mediawiki versions.
- Release 1.24.0
Full release notes at: https://www.mediawiki.org/wiki/Release_notes/1.24
Preferences made easier: MediaWiki is known to be extremely flexible and
customisable, but few users use its full potential. In 1.24, we aim to make
dozens obscure preferences easily discoverable and obvious to use.
New features:
* Category pages can now be moved (mw#5451).
* MergeHistory for all administrators by default (mw#66155).
* Improvements have been made to the password storage system, allowing improved
security against offline attacks should a wiki\'s database be compromised by
attackers. Then, the default password storage algorithm was changed to
PBKDF2. PBKDF2 and Bcrypt have built-in support in PHP. The new extensible
password API makes it trivial to implement scrypt support if we wanted to.
Usability:
* The move feature and other actions are now discoverable in Vector, thanks to
a label for the dropdown where they\'re hidden by default (bug 44591).
* Specify default language on a per-page basis
* Redirect to Special:UserLogin when logging is in required to proceed, instead
of showing an error message
In 2014, MediaWiki development has a new focus on frontend performance:
* Improved Vector skin performance by removing collapsibleNav, which used to
collapse some sidebar elements by default. This removes -list id suffixes
like p-lang-list: instead of using things like #p-lang-list, you can do
[#]p-lang .body ul. If you would like CollapsibleNav back please use the
CollapsibleVector extension. (mw#39035)
Upgrade notices for MediaWiki administrators:
Breaking changes:
* Upgrade jQuery to version 1.11.x:
[[mailarchive:wikitech-l/2014-June/076842.html]]
* Support for register_globals (deprecated 5 years ago) was dropped, MediaWiki
will no longer run with it enabled.
* {{!}} is now a magic word that results in |, mainly for use in templates and
other complex templates. If your wiki has another template at Template:!, you
will need to change the name and update any usage of it. If your Template:!
is just |, it can be safely deleted.
API changes:
Starting with MediaWiki 1.24, we\'re cleaning up the API, and working towards an
API 2.0. See the roadmap for more details.
* Rarely used formats deprecated: dbg, dump, txt, wddx, yaml. These may be
removed in a future release.
* Token handling overhauled: the action=tokens module is now deprecated and
replaced by action=query&meta=tokens. Most actions now just take a generic
\"csrf\" token, and the token type is now properly documented in the
auto-generated documentation.
* And more! See the RELEASE-NOTES-1.24 file for a full list.
Directory changes:
The legacy \'\'\'skins/common/\'\'\' directory has been emptied and deleted as part
of the skin system cleanup. Files that have been present in it have been moved
elsewhere or deleted (if they were unused). If you loaded any of these files as
part of your custom skin or on-wiki CSS/JS, you should make a copy of the old
files in a non-MediaWiki directory. See the RELEASE-NOTES-1.24 file for the
full list of moved/deleted files.
Browser support deprecated or removed:
Full support for Internet Explorer 6 and Internet Explorer 7 has been removed:
it will browse MediaWiki without JavaScript. JavaScript fixes specific to it
have also been removed. Additional IE6 and IE7 fixes that exist in
MediaWiki:Common.js and similar can be safely removed.
Skins no longer loaded after upgrade?
MediaWiki 1.24 no longer uses the skin autodiscovery mechanism to load default
skins, instead requiring that the skins be manually loaded in
LocalSettings.php, much like extensions
(see [[Manual:Skin configuration#Installing skins]]).
This will require you to update LocalSettings.php after the upgrade - a
prominently displayed warning message should guide you through the process,
suggesting the exact configuration that you need to add. If you\'re upgrading
via a tarball release, that is all you need to do. If you\'re upgrading via git
or otherwise from source, note that the skins themselves have been each moved
to a separate repository and will need to be installed separately (much like
extensions, some basic ones are included in the tarball).
Composer:
If you are using extensions managed by composer, make sure to backup your
existing composer.json file as it will be overwritten on upgrade.
Thu Oct 30 13:00:00 2014 jweberhoferAATTweberhofer.at
- Upgraded to bugfix release 1.23.6
* Allow classes to be registered properly from installer (MW#67440)
* Job queue not running (HTTP 411) due to missing Content-Length: header
(MW#72274)
Fri Oct 3 14:00:00 2014 jweberhoferAATTweberhofer.at
- Upgraded to security release 1.23.5
* SECURITY: OutputPage: Remove separation of css and js module allowance.
(MW#70672)
Thu Sep 25 14:00:00 2014 jweberhoferAATTweberhofer.at
- Upgraded to security and maintenance release 1.23.4
* SECURITY: Enhance CSS filtering in SVG files. Filter 
