SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mediawiki-apache-1.39.8-lp154.1.1.noarch.rpm :

* Sun Jun 30 2024 Carsten Ziepke - Update to Mediawiki 1.39.8 Security and maintenance release
* Localisation updates.
* tests: Skip failing tests on php8.2 (and make pass).
* (T326480) ApiResult: Make array ordering consistent across PHP versions.
* (T352789, T287972) build: Raise TestingAccessWrapper from 2.0.0 to 3.0.0.
* (T326478) tests: Create new classes to hold dynamic properties in auth tests.
* (T326478) tests: Avoid dynamic properties in AuthenticationProvider Test.
* (T326466) Introduce and use DynamicPropertyTestHelper.
* tests: Skip failing tests on php8.3 (and make pass).
* (T352910) tests: Use TestingAccessWrapper::newFromClass in session tests.
* (T326478) tests: Avoid dynamic properties in auth tests.
* (T326479, T361985) StatusValue: Allow passing arbitrary data to augment result.
* tests: Remove dead code from WikiPageDbTest::assertPreparedEditNotEquals.
* (T326478) tests: Avoid dynamic properties in SessionManagerTest.
* (T361990) Upgrading wikimedia/parsoid (v0.16.3 => v0.16.4).
* (T357760) Use i18n strings for truncated subpage message in SpecialMovePage.
* ArticleTest: Skip testGetOrSetOnNewProperty() if PHP >= 8.2.
* (T361982) Update wikimedia/less.php from 3.1.0 to 3.2.1.
* debug: Update PsySH 0.11.1 -> 0.12.3.
* (T361991) Fix slash-delimited regex from CLI on maintenence/grep.php.
* (T362078) Improve RestAPIAdditionalRouteFiles path expansion.
* (T352695) tests: Only set $dbSetup if setupTestDB() ends without throwing.
* (T302186) Add title cache for Title::newMainPage().
* objectcache: Fix flaky WANObjectCacheTest::testLockTSESlow case.
* (T362272) api: Replace null $httpCode by 0 in ApiBase::dieWithErrorOrDebug.
* (T150647, T216682) Make EncryptedPassword work with Argon2Password.
* (T327220) Special:ApiHelp: Move widths and floats in CSS to media query.
* (T364270) Fix long param names overlapping docs in API help pages.
* MaintenanceRunner.php: Add trailing newline to error message.
* wrapOldPasswords: Improve progress output and decrease batch size.
* (T361367) ApiFeedWatchlist: Fix handling of array parameters.
* (T132418) ResourceLoader: Add 1min grace via stale-while-revalidate Cache-Control.
* (T366130) EncryptedPassword: Store default parameters as strings.
* Name the PagerTools array entries to allow hooks to unset them.
* Sun Apr 21 2024 Carsten Ziepke - Update to Mediawiki 1.39.7 Security and maintenance release
* Localisation updates.
* (T334992) Headings in the license pickers should not be selected.
* (T353929) ActiveUsersPager: Count actions only once.
* composer: Use AATTphp instead of php.
* (T326065) Indent JsonContent using tabs.
* (T354541) authmanager: Improve AuthenticationRequest docs.
* (T355017) Add missing space in Special:RecentChangesLinked.
* (T355003) composer.json Add ext-bcmath and ext-gmp to suggests.
* PHPVersionCheck: Update text to match currently supported upstream PHP versions (8.1+).
* (T354045) API: mark HTML output as non-cacheable.
* (T355530) filerepo: Fix img_major_mime for files with a non-standard extensions.
* (T355530) MimeAnalyzer: Add AATTsince to isValidMajorMimeType.
* (T317489, T319202) Mark some parserTests on talk pages Parsoid only on REL1_39.
* (T350594) Update wikimedia/parsoid to 0.16.3.
* (T352554) ZhConverter: Fix language variant fallback chain.
* (T357668) Parser::getExternalLinkAttribs: Don\'t set rel attribute to null.
* LockManagerGroupIntegrationTest: Remove test depending on DBLockManager.
* (T357808) LinkRendererTest: Add missing import for LinkTarget.
* (T353305) ApiResetPassword: Allow both user and email parameters to be passed for reset.
* (T358949) updateCollation: Explicitly cast $scale to int.
* (T359055) api: Improve linking of language codes lists in top level i18n messages.
* (T359294) Make sure MovePage::isValidFileMove matches UploadBase::getTitle.
* (T230245) Respect $maxConcurrency when queuing async FileOps.
* (T352554) Follow-up \"ZhConverter: Fix language variant fallback chain\".
* (T292237, T317451) build: Restore Doxygen output for MediaWiki release tags.
* (T324903) HistoryPager: Add #[AllowDynamicProperties].
* (T360850) Update Apache config syntax in .htaccess files.
* (T309714, T354274) mime: Add support for \'font/woff\' and \'font/woff2\' mime type.
* (T309714) mime: Make test cases use data provider.
* (T331608) installer: Bear with schema drift caused by running old updater.
* docs: Remove use of $IP from mwdocgen.php.
* (T317451) build: Restore Doxygen output for MediaWiki release tags (take 3).
* docs: Set stable permalink on markdown files.
* (T357019) allow maintenance/deleteBatch.php to accept page ID.
* (T355538, CVE-2024-PENDING) XSS in edit summary parser.
* (T357760, CVE-2024-PENDING) Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.
* Fri Feb 23 2024 Carsten Ziepke - Use %autosetup macro. Allows to eliminate the usage of deprecated %patchN, prepare for RPM 4.20
* Sun Jan 14 2024 Carsten Ziepke - Update to Mediawiki 1.39.6 Security and maintenance release
* Localisation updates.
* Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0.
* Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0.
* (T344912) mail: Encode period (ascii 46) if it appears in encoded email header.
* Added symfony/polyfill-php82.
* Added symfony/polyfill-php83.
* Updated symfony/yaml from 5.4.10 to 5.4.23.
* (T329609) ApiQueryLanguageinfoTest: Do not pass a float to setFakeTime.
* Updated wikimedia/timestamp from 4.0.0 to 4.1.1.
* tests: Provide coverage for StatusValue::__toString.
* StatusValue: Improve logging/debug output with multibyte characters.
* (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped messages used in rights log.
* Updated wikimedia/parsoid from 0.16.1 to 0.16.2.
* (T229992) LocalisationCache: Preserve fallback source language info.
* (T275085) Fix logging Status objects to \'authevents\' channel.
* (T341310) DEVELOPERS.md: mention git clone and WSL.
* (T351758) DEVELOPERS.md: reword WSL instructions to include best practices.
* (T349115) LocalisationCache: Fix a rare case in fallback source language.
* SwiftFileBackend: Fix \"PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated\".
* maintenance: Add missing parenthesis to SQL in attachLatest.php.
* (T353472) maintenance: Fix join condition in DeduplicateArchiveRevId.
* Mon Oct 09 2023 Carsten Ziepke - Update to Mediawiki 1.39.5 Security and maintenance release
* Localisation updates.
* (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.
* docs: Fix a few typos in MainConfigSchema.
* (T309714) mime: Add support for \'font/sfnt\' mime type.
* (T341434) WikiImporter: Improve error message output.
* (T317255) VueComponentParser: Use Zest\'s getElementsByTagName() rather than PHP\'s.
* (T341737) ApiBase: Cast $id to string in filterIDs.
* (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively.
* (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer.
* (T237898) installer: Check MariaDB version in updater/installer.
* (T342632) ApiComparePages: Add help url.
* (T326182, T324903) EditPage: Add #[AllowDynamicProperties].
* (T342351) rdbms: Fix postgres db function call.
* (T343675) user: Use {AATT} to escape annotation when writting about annotation.
* (T343797) LanguageWa: Fix double timezone adjustment.
* (T326454) Update pear/mail to 1.5.1.
* (T343622) docs: Set the tag back to optional.
* (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
* (T337463) wdio-mediawiki: await saveScreenshot.
* (T274041) Include core PSR-4 classes in the generated classmap.
* (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively.
* doc: Improve description of \"type\" in extension.schema.v2.json.
* Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above).
* HTMLForm: Fix E_NOTICE when hide-if is used with setFormIdentifier.
* (T288624) MultiHttpClient: Unset $this->cmh after closing it.
* (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally.
* (T265734) API Help: Note that parameters may be inherited from other context.
* API: Make continue parameter help description more specific.
* (T285545) i18n: Split apihelp for standard dir parameter.
* (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show.
* (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=.
* (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=.
* (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=.
* (T285545) i18n: Split apihelp for parameter action=managetags&operation=.
* (T285545) api: Add message for list=watchlist&wlprop=expiry.
* (T334011) ApiComparePages: expose \'difftype\' param if wikidiff2 is installed.
* (T342633) api: Add message for action=compare&prop=timestamp.
* API: revids=… does not necessarily return the queried revisions.
* (T326696) user: Truncate option value in UserOptionsManager.
* (T326696) ApiOptions: Give warning if the value is too long.
* API i18n: Add {{PLURAL:}} for byte count messages.
* (T235207) Get correct main page in API call examples.
* doc: Make extension.schema.v2.json a valid JSON schema.
* updateSpecialPages.php: Avoid implicit float conversion on modulo.
* (T347227) ImportReporter: Make callback functions public.
* (T346898) importDump: Unconditionally call $importer->setUsernamePrefix().
* doc: Improve description of type in extension.schema.v1.json.
* (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
* (T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.
* (T340221, CVE-2023-PENDING) SECURITY: XSS via \'youhavenewmessagesmanyusers\' and \'youhavenewmessages\' messages.
* (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser (\"X intermediate revisions by the same user not shown\") ignores username suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).
* Wed Jul 05 2023 Carsten Ziepke - Update to Mediawiki 1.39.4 Security and maintenance release
* Localisation updates.
* (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1.
* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5).
* (T333776) Template:ACTIVEUSERS wasn\'t being updated without updateSpecialPages.php.
* (T258860) Prevent LogicCache exception from message cache during IO errors from memcache.
* (T336868) Improve idempotency of postgres index upgrades.
* (T322944) Add Authorization to default $wgAllowedCorsHeaders.
* (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.
* A fake MessageLocalizer for use in unit tests.
* (T338114) Title: Add forward alias.
* composer: Add symfony/polyfill-php81 like symfony/polyfill-php80.
* (T330464) Work around argument corruption bug in XMLReader::open.
* Fix frame and frameless rdfa depending on file existing.
* Fixes for the phan upgrade, part 1.
* Fixes for the phan upgrade, part 2.
* (T298571) build: Update mediawiki/mediawiki-phan-config to 0.12.0.
* build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
* (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj.
* (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
* A manualthumb that doesn\'t exist should be considered a thumb error.
* (T313157) IndexPager: Also protect against $offset being 0.
* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
* Fri Mar 31 2023 Carsten Ziepke - Update to Mediawiki 1.39.3 Security and maintenance release
* Localisation updates.
* (T225218) LinksUpdate: Use DB key for category links table.
* GlobalFunctions: Remove check for MEDIAWIKI constant.
* (T329484) API: Fix query+allimages user parameter description.
* (T330529) SpecialEditTags: Set default of \'\' for wpReason.
* (T330382) postgres: Make the upgrade ignore dropping indexes that might not exist.
* (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects.
* (T291753) rdbms: escape backslashes in makeConnectionString for PostgreSQL.
* (T325529) Fix total breakage of wgCanonicalServer fallback.
* (T318103) mediawiki.storage: Disable async GC during integration test.
* (T332461, T332397) TempFSFile: Keep the WeakMap alive.
* (T332902) page: fix InvalidArgumentException in SQLPlatform::makeList.
* (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers.- Fix some rpmlint warnings
* Sun Mar 19 2023 Carsten Ziepke - Update to Mediawiki 1.39.2 Maintenance release
* Localisation updates.
* (T325872) ChangeTags: Remove table name from condition.
* (T324895) MWCallbackStream: Add explicit $stream property.
* (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField.
* (T321319) Produce HTML for invalid JSON.
* (T215466, T326071) MigrateActors: Write to revision table (Follow-up 24115a8).
* (T223027) ReservedUsernames config: Add reserved names from maintenance scripts.
* (T325000, T324896, T307631) Updated OOUI from v0.44.3 to v0.44.5.
* Remove /images .htaccess rules that are no longer relevant.
* Disable php in .htaccess of images directory as a hardening measure.
* (T322583) Include missing message parameter in message.
* LocalFileTest: use encodeBlob/decodeBlob for img_metadata.
* DatabaseSqlite: fix null blobs.
* rdbms: avoid pg_escape_bytea() call-style deprecation notices.
* (T322278) Improve LocalisationCache post-merge validation check.
* (T324408, T326367) Updated wikimedia/remex-html from 3.0.2 to 3.0.3.
* (T322278) Fix the remaining Phan failures on PHP 8.1.
* (T322278, T326367) Respond to some messages from Phan on PHP 8.1.
* Fix phan error when Excimer is enabled.
* (T326021) Add matrix: to $wgUrlProtocols.
* (T314099) stream wrapper: Declare $context class property.
* (T314099) libs\\jsminplus: Declare JSNode::$expression.
* (T314096) composer.json: Updated composer/spdx-licenses from 1.5.6 to 1.5.7.
* (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1).
* (T308536) rdbms: Remove deprecation mark for $wgSharedDB.
* (T215466, T326071) installer: Split drop action out of the SQL patch for actor migration.
* (T322603) SqliteMaintenance.php: Fix fatally broken instanceof check.
* (T326377) rdbms: Use DBConnRef in SelectQueryBuilder.
* api/en.json: api-help-datatype-expiry add missing \'may\'.
* (T317329) OutputPage: Fix undefined [\'host\'] in ImagePreconnect code.
* (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase.
* (T289926) SpecialRevisionDelete: Set default of \'\' for wpReason.
* (T155582, T328503) Fix XML dumps for content types with non-string getNativeData().
* (T326886) PoolCounterRedis: Fix wrong cast, locks weren\'t being released.
* (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses
* (T327821) skin: Restore default \'value\' attribute in makeSearchButton().
* (T329198) ParamValidator: Improve paramvalidator-help-multi-max message.
* (T329415) Clear the statsd data buffer regardless of StatsdServer config.
* (T292348) WikiImporter: do not fail if upload entry in dump lacks \'text\' tag.
* (T330049) UnregisteredLocalFile: Don\'t call MimeAnalyzer if no path.
* (T324894 TempFSFile: Use a WeakMap for reference tracking if available.
* (T295637) Add no to fallback chain of nb and nn.
* Sat Dec 24 2022 Carsten Ziepke - Update to Mediawiki 1.39.1 Security and maintenance release
* Localisation updates.
* PostgresUpdater: Remove trailing space from \'user_id \' column.
* (T304515) LCStoreStaticArray: atomically replace the cache file.
* (T324516) postgres: Fix upgrade for templatelinks primary key.
* (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2.
* (T324513) uuid\\GlobalIdGenerator: Check if getmyuid() exists.
* (T314099) OutputPage: Remove unused dynamic property ParserOptions->isBogus.
* (T314099) api: Remove use of undeclared property in action=comparepages.
* Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6).
* (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1).
* Updated pear/mail (v1.4.1 => v1.5.0).
* Removed wikimedia/dodo (v0.4.0).
* (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters.
* (T322637) SECURITY: sqlite should not create DB file world-readable.
* Sun Dec 04 2022 Carsten Ziepke - Update to Mediawiki 1.39.0
* MediaWiki 1.39 is an LTS and is due to be supported until the end of November 2025.
* Please visit and read before update: https://www.mediawiki.org/wiki/Release_notes/1.39- Update Requires to php > 7.4.3 and < 8.2.0- Rebase and rename mediawiki-use-localsettings-from-webroot.patch
* Fri Sep 30 2022 Carsten Ziepke - Update to Mediawiki 1.37.6 Maintenance release
* Fix missing use statement from backport of fix for T307278.- Changes in Mediawiki 1.37.5 Security and maintenance release
* Localisation updates.
* (T312519, T312520) Parser::extensionSubstitution() Don\'t run substr() on null.
* (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid.
* (T312302) SpecialRedirect: Don\'t pass null to explode.
* RemoveInvalidEmails: Fix quoting for postgres.
* (T312678) import: UploadSourceAdapter::stream_read() don\'t pass null to strlen().
* (T312300) SpecialDiff: Don\'t pass null to explode().
* (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg.
* (T289926) Handle null passed to wfShorthandToInteger() and Html::element().
* (T289926) Ensure that strlen() does not get passed a (valid) null.
* (T312301) SpecialDiff: Don\'t pass null to trim().
* Hooks: Use more meaningful name for SkinAfterPortlet hook parameter.
* (T289926) Ensure we don\'t pass null to mb_strlen.
* (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim() calls.
* (T289926) site: Consistently return null from Site::getDomain().
* (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept().
* (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1.
* Add application/vnd.ms-opentype to MIME list.
* Allow composer/installers plugin in composer.json.
* Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1.
* (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests.
* (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1.
* (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource.
* Fix tests so getName() doesn\'t return null.
* (T313663) [php8] Don\'t use strlen on potentially null string.
* (T313663) [php8.1] Suppress test warning about providing null.
* (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp.
* (T313663) Add explicit null check for $sha in FileBackend [php8.1].
* (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1].
* (T313663) Mock UserOptionsManager::getOption for php8.1.
* (T289879, T289926) Get rid of warnings on PHP 8.1.
* (T313663) Check for null return of preg_replace in MediaWikiTitleCodec.
* (T313663) cast db name to string when checking if it is read only [php8.1].
* (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat].
* Fix a couple deprecation warnings in the installer under PHP 8.1.
* (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1].
* (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1].
* (T314096) Migrate use of ${var}-style string interpolation.
* (T314099) preprocessor: Add missing field declarations.
* (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be \'\' not null.
* (T314225) SpecialCategories: Null coalescene $par.
* (T314099) User: Allow dynamic properties on PHP 8.2.
* (T314397) SpecialBlock: Better handle null in getTargetUserTitle.
* (T314099) phpunit: Fix trivial dynamic property usages in tests.
* (T314405) UploadStash: Check if us_prop is set in the fileMetadata.
* (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1.
* (T313663) Do not test giving a null fragment to Title::makeTitle.
* (T314550) SpecialMergeHistory: Set timestamp to \'\' if no mergepoint.
* (T314551) SpecialMergeHistory: Set defaults for target and dest parameters.
* api: Add rel=nofollow to help examples.
* (T307613) Validate length of user email on Special:ChangeEmail/Special:CreateAccount.
* (T314226) LoginSignupSpecialPage: Check if $value is a string before length.
* (T314824) tests: Update parser test after i18n change.
* (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4.
* (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions.
* (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite.
* (T315892) composer.json: Pin phpunit to 8.5.28.
* (T313049) Bump wikimedia/parsoid to v0.14.2.
* (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change.
* (T318079) SpecialEditTags: Set default value of wpTagsToRemove to empty array.
* (T318460) SpecialChangeEmail: Set default for returntoquery.
* (T318307) Update docs for HTMLFormField::validate() to permit all data types.
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn\'t update results in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users.
* (T307278, CVE-2022-41766) SECURITY: On action=rollback the message \"alreadyrolled\" can leak revision deleted user name.
* Sat Jul 09 2022 Carsten Ziepke - Update to Mediawiki 1.37.4 Maintenance release
* Localisation updates.
* (T311568) UploadBase::setTempFile() handle $tempPath being passed as null.
* (T311559) SpecialListFiles: user parameter isn\'t always present.
* (T311561) ImageListPager: Don\'t call htmlspecialchars() on null.
* (T311920) SpecialBlockList: Prevent passing null to trim().
* (T311921) SpecialUserrights: Don\'t pass null to str_replace.
* (T311570) SpecialWithoutInterwiki: Don\'t pass null through to Title::capitalize().
* (T311574, T311576) SpecialLinkSearch: Don\'t pass null through to the parser.
* (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
* (T296435, T297669) cache: Add four fields to LinkCache::getSelectFields.- Changes since Mediawiki 1.37.3 Security and maintenance release
* Localisation updates.
* (T289879) Type hints for ArrayAccess and JsonSerializable.
* (T304783) TemplateParser: avoid warnings when called by NoLocalSettings.
* Rebuilt vendor with composer 2.3.3.
* Fix old_name in UserLogoutComplete hook.
* (T289879) Address some deprecations for PHP 8.1.
* (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update.
* (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered.
* (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
* (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
* (T308473) SECURITY: Escape contributions-title msg for use within page title.
* (T311272) Call parent constructor of AddSite maintenance script first.
* MediaWiki: Don\'t eagerly initialize action name.
* Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
* (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5.
* (T289926) Avoid passing null to trim() in SkinTemplate.
* (T311473) rollbackEdits: Pass user identity to RollbackPage.
* (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
* (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.
* (T311552) ChangesListSpecialPage: Don\'t pass null to FormatJson::decode().
* (T311569) FileBackend::isStoragePath() Handle being passed null.
* (T311544) Pass int to ApiUsageException::newWithMessage()\'s $httpCode param.
* (T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
* (T281741) ChangeTags: Fix adding CSS classes for hidden tags.
* (T296642) changetags: Fix management of a \'0\' tag.
* (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
* (T303033) Handle null in ChangeTags::modifyDisplayQuery.
* Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.
* Sun Apr 10 2022 Carsten Ziepke - Update to Mediawiki 1.37.2 Security and maintenance release
* (T298261) Fix support for Composer 2.2.
* (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins.
* Update doctrine/dbal (3.0.0 => 3.1.5).
* (T296898) Add entry point name to disabled Session exception if possible.
* (T298564) MemcachedClient: Add support for IPv6.
* (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete.
* (T289956) WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode.
* (T268847) Suppress deprecation warnings from libxml_disable_entity_loader().
* (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest.
* (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
* (T275673) objectcache: Avoid getCurrentTime() call in MapCacheLRU::has().
* (T275673) objectcache: split up MapCacheLRU::getAge() to avoid conditional overhead.
* Fix the json schema and the extension processor for Parsoid extension modules.
* (T299696) update.php: Avoid passing null to substr.
* (T195807, T256401) Fix signature of DatabasePostgres::buildGroupConcatField.
* In PHP 8.1 don\'t throw exceptions from mysqli.
* (T289926) SiteConfiguration: Don\'t pass null to str_replace().
* (T264735) Fix deprecation warning from CURLPIPE_HTTP1.
* (T260735) Stop using is_resource() where possible.
* (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces.
* (T299312) Implement __serialize/__unserialize for PHP 8.1 support.
* ExtensionRegistry: Add process cache for lazy attributes.
* (T301041) ApiPageSet: Add \"missing\": true to missing revisions.
* Allow ParsoidModules extension schema to register services.
* (T300462) SpecialUndelete: Do not show empty comments as deleted.
* (T297708) Allow setting max execution time to several special pages.
* (T205349) LinkCache: Try invalidating cache before throwing.
* (T302540) composer.json: Add ext-calendar to require.
* (T302540) composer.json: Add ext-simplexml to require-dev.
* (T302540) composer.json: Add various PHP extensions to suggests.
* Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
* (T304008) Don\'t re-check \"Move subpages\" on Special:MovePage after a warning.
* (T293576) listFiles: Display file name instead of version.
* (T303871) Fix AATTsince of Title::getId().
* (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
* wrapOldPasswords: add \
to two output calls.
* (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.
* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.
* (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.
* Sun Dec 19 2021 Carsten Ziepke - Update to Mediawiki 1.37.1 Security and maintenance release
* (T296112) Allow inserting new sections named \'0\'.
* Fix path for ZhConversion.php.
* nukeNS: don\'t run purgeRedundantText() after every change.
* (T286779, T297031) installer: Fix Postgres mistakes in using changeField method.
* (T225888) RollbackAction: fix missing pagetitle.
* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions.
* (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback.
* (T34716, T297416) SECURITY: Require \'read\' right for most actions.
* (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model.
* Fri Nov 19 2021 Johannes Weberhofer - Update to Mediawiki 1.37.0 Read the full release notes at https://www.mediawiki.org/wiki/Release_notes/1.37
* Sun Oct 10 2021 Carsten Ziepke - Update to Mediawiki 1.36.2 Security and maintenance release
* Don\'t access MWServices prematurely in Maintenence.php.
* (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode.
* Installer: Fix foundation.wikimedia.org link in config-pingback-help.
* (T283273) Make postgres IRC channel point to libera.chat.
* composer.json: Promote and pin monolog/monolog to require from require-dev.
* (T287526) JavaScriptMinifer: Recognize `...` as a single token.
* (T287526) Update wikimedia/minify to 2.2.4.
* (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas.
* (T281549) Installer: Fix mediawiki-announce auto subscription code.
* FormatJson: Optimize encode() for supported PHP versions.
* (T290398) renameRestrictions.php: Update protected_titles as well.
* (T290489) objectcache: Fix PHP warning for ReplicatedBagOStuff::setMulti.
* $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, \'application/javascript\', as well as previous MIME types.
* (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes.
* (T277788) parser: Avoid calling ParserOptions::getOption() too many times.
* (T291244) Unserialize objects in ParserCache->mExtensionData as objects.
* MysqlUpdater: Add updatelog entries for dropDefault.
* (T290776) Fix $phase check in OutputHandler.
* The wikimedia/parsoid library has been upgraded from v0.13.0 to v0.13.1.
* (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.
* (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan.
* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions.
* Fri Jun 25 2021 Johannes Weberhofer - Update to Mediawiki 1.36.1 Security release
* (T283942) DatabaseInstaller.php: Only run core schema file if specified table doesn\'t already exist.
* (T247223) Optimise MessageCache::isMainCacheable() for the single-message case.
* (T283244) JavaScriptMinifer: Fix handling of \"delete\" as object property.
* (T284391) Fix SkinModule to correctly prepend remote path on document root installs.
* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
* (T278579) Don\'t send headers on ob_end_clean().
* (T285287) MultiHttpClient: Replace PHP version check with defined().
* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.
* Fri Jun 04 2021 Johannes Weberhofer - Update to version 1.36.0
* Upgrade notes - MediaWiki 1.36 now requires the PHP internationalization extension (commonly referred to as Intl, ext-intl, or php-intl). - The MediaWiki:Autoblock_whitelist block exemption control has been moved to MediaWiki:Block-autoblock-exemptionlist. If you use this feature, please move the MediaWiki:Autoblock_whitelist page. - (T275334) $wgExtensionFunctions is sometimes used to change configuration settings. This is not safe; extension functions are run relatively late, some services are already initialized by that point and so they use the old configuration. Changes in 1.36 make this kind of breakage even more common. You can use the MediaWikiServices hook instead. (In the future there might be a dedicated hook for configuration changes.) - The MediaWiki update script, maintenance/update.php, used to accept `--nopurge` as an option to prevent clearing caches stored in the database during upgrade. This is no longer encouraged, and the option has been removed.
* New features - The logo of MediaWiki has changed. This means that the \"Powered By MediaWiki\" button shown in the skin footer will be different. - All HTML5 named entities are now accepted in wikitext. - (T106263) The file description page\'s alternate sizes now include 2048px.
* Action API changes - `Access-Control-Max-Age` was added to the default list of headers allowed for cross-origin API requests ($wgAllowedCorsHeaders). - Accounts with the \'bot\' right no longer have pages automatically added to the watchlist when making API edits, regardless of their preferences. This is to reduce the size of the watchlist data in the database. To add API bot edits to the watchlist, explicitly set the \'watch\' option.
* New configuration options - (T256001) $wgManualRevertSearchRadius – This setting controls a new feature that marks edits as reverts if they restore the page to an exact previous state. This configuration variable sets the maximum number of revisions of a page that will be checked against every new edit. Set this to 0 to disable the feature entirely. - (T244058) $wgOldRevisionParserCacheExpireTime — This setting was added to control caching of ParserOutput for old (non-current) revisions. - (T265263) $wgRememberMe - This setting configures the \"remember me\" checkbox on account log-in systems via RememberMeAuthenticationRequest. - (T157145) $wgSkinMetaTags – This setting lets sysadmins configure skins that support meta tags. These tags make sharing of MediaWiki pages on a variety of social platforms more contentful and thus useful. - (T280944) $wgIncludejQueryMigrate - This setting lets sysadmins disable the jQuery Migrate plugin. It has been enabled by default since MediaWiki 1.27. In future releases it will be disabled by default.
* Changed configuration options - $wgLogos – This setting selects the logo shown on the site. The default value for the site logo, which is shown in an install if you have not set one, will now be the new logo of MediaWiki. - (T274695) $wgAjaxEditStash — This setting, to disable the edit stashing feature when users start writing an edit summary, has been deprecated. In future releases, this feature will always be enabled. - $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand media scaling, was deprecated. Use the `thumbProxyUrl` setting in $wgLocalFileRepo instead. - $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical respectively. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which try to read them. - $wgWANObjectCaches - The \"coalesceKeys\" option was removed without deprecation and replaced by a new \"coalesceScheme\" option, set to \"hash_stop\" by default. If you use Dynomite, then set the new \"coalesceKeys\" option to \"hash_tag\". The \"cluster\" and \"mcrouterAware\" options were also removed without deprecation. Use \"broadcastRoutingPrefix\" instead.
* Removed configuration options - $wgUseTwoButtonsSearchForm — This setting, deprecated in 1.35, has been removed. - $wgAllowImageMoving — This setting, deprecated in 1.35, has been removed. Use group permission settings instead. For example, to prevent sysops from moving files, set $wgGroupPermissions[\'sysop\'][\'movefile\'] = false;` - $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields, $wgExtPGAlteredFields, $wgExtModifiedFields — These settings were removed. They became obsolete after 1.17 overhauled the database updater, but were kept for backwards compatibility. The LoadExtensionSchemaUpdates hook should be used instead. - $wgParserConf - This setting, deprecated in 1.35, has been removed. The last use of this setting was for pre-processor configuration, which was deprecated in 1.34 and removed in 1.35. - $wgEnableRestAPI - This setting, ignored since 1.35, has been removed. - $wgPagePropsHaveSortkey – This temporary setting has been removed, along with the schema change upgrade path it controlled. If your site is still using it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24, you must now apply it before upgrading. - The deprecated password policies PasswordCannotMatchBlacklist and PasswordNotInLargeBlacklist were removed. Please use PasswordCannotMatchDefaults and PasswordNotInCommonList respectively instead.
* Wed Apr 21 2021 Johannes Weberhofer - Update to version 1.35.2
* (T270450) The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered().
* Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support.
* Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support.
* Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support.
* (T270734) Fix display of Special:Preferences URL in password reset email.
* (T252774, T271441) resourceloader: Give SkinModule \'features\' option an extensible default.
* (T271441) Unknown features shouldn\'t break style output.
* (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0.
* DefaultSettings.php: Update $wgPingback documentation.
* Fix docs for LanguageConverter::translate.
* (T272250) Don\'t rely on implicit string->int cast in comparison.
* (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn\'t whine.
* (T272328) UploadBase: Don\'t call MimeAnalyzer if mTempPath is null.
* Remove nonfunctional default sampling for WANObjectCache metrics.
* (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook.
* (T270852) Hooks: Map dash character to underscore when generating hook names.
* (T271551, T270145) Fix fetching ipblock-exempt within BlockManager::getUserBlock.
* PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
* (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests.
* (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs.
* (T248925) Special:Contributions reports negative namespace error on PHP 8.
* (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8.
* (T248925) Fix CacheTime::getCacheExpiry for PHP 8.
* (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking.
* (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of SQLite write lock.
* (T272326) Fix DeprecationHelperTest on PHP 8.
* Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support.
* (T236639) OutputPage: Make $wgDebugRedirects work again.
* (T274648) registration: Allow reusing cached metadata between wikis.
* CdnCacheUpdate: Send full URL instead of path to Curl for purge.
* Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support.
* FileBackend: Do not use SOCKET_ENOENT on windows.
* (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once.
* (T275261) Escape wikitext in the title in invalid title error messages.
* (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL.
* (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above minimum.
* (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support.
* (T269293) Record all used options in metadata.
* Allow usage of Composer 2.0 to install MediaWiki\'s dependencies.
* (T259872) skins: Call headElement() after getTemplateData() in SkinMustache.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens.
* (T272412) Add \"Account data\" section to user preferences.
* (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
* (T277520) registration: Allow specifying immovable namespaces in extension.json.
* (T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods.
* (T254688) Remove page inner join from subquery in SpecialWhatLinksHere.
* (T122124) signup: added help message for security.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-
* messages on Special:NewFiles.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-
* messages on ChangesList pages.
* (T277414) HTMLFormField: Use non namespaced class name rather than static::class.
* (T268673) maintenance: Don\'t create SearchUpdate in rebuildtextindex.php for page_namespace below 0.
* (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8.
* (T268230) Switch to new MediaWiki logo by Serhio Magpie.
* (T271735) Expand config-pingback-help, link to privacy policy in config-pingback.
* Fix documentation of user-global in $wgRateLimits.
* BackupDumper: Add -o as shortcode for --output.
* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages.
* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary tags.
* Sun Feb 21 2021 Johannes Weberhofer - Fixed invocation of upgrade script- Hard-Code main version - scripts don\'t work nicely with osc
* Sun Feb 21 2021 Carsten Ziepke - Update to version 1.35.1
* (T263929) purgeList.php Fix all-namespaces option to match one used in code.
* (T248719) ParserCache::get - fix wfDeprecated call.
* (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab.
* Preload mediawiki.watchstar.widgets before api request.
* (T261030) ApiEditPage: Show existing watchlist expiry if status is not being changed.
* (T264502) Fix PHP 8 compat with strcspn() $length parameter exceeding string.
* (T248925) Remove final modifier on private function.
* (T264683) Remove ipb_anon_only from ipb_address_unique index addition.
* (T261415) Add days left messages to changes-lists\' clock icons.
* Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave.
* (T261260) Preload class used in HeaderCallback.
* (T260868, T260009) Normalize WatchedItem expiry field.
* (T264683) Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields.
* (T264534) ApiPageSet: Avoid infinite loop when merging redirects.
* (T196906) Empty Monolog loggers are now real blackholes.
* (T258649) WatchAction: avoid UPDATE when old and new watch period is indefinite.
* Parser: Adjust typehint to show that getTitle can return null.
* (T263592) media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData().
* (T265223) BaseTemplate: Guard against passing zero arg to array_merge().
* (T264965) Fix base path handling for MessagePosterModule registration.
* (T252183) Fix Database::getTempTableWrites for multi table DDLs.
* (T182546) Fix switch/case indentation per mediawiki coding conventions.
* Flip Yoda conditionals.
* (T263213) Move SkinTemplate::getFooterLinks() to Skin.
* build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
* (T267105) Make ImageBuilder::checkMissingImage public.
* Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
* (T266681) Support new style hook registration on install and update.
* (T266980) Fix unsetting of copyright icon in FooterIcons.
* upload.js: Don\'t assume that warnings array will include \'code\' key.
* upload.js: Fix typo in upload API.
* (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded.
* (T267558) importTextFiles.php: Replace deprecated WikiRevision:setText().
* (T266418) composer.json: add requirement for composer-plugin-api ^1.1.
* (T261431) Add ARIA attributes to watchlink and its notification.
* (T258877) Change invalid \'Content-Encoding: none\' header.
* Fix trailing ; in patch-sites-site_language-35.sql.
* (T248852) wfAssembleUrl: Handle empty query field in URL bits.
* (T268846) Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0).
* (T268887) migrateComments: Cast array keys back to string before passing to the DB.
* (T266619) Introduce new $wgThumbPath config.
* (T269178) MemcachedClient: Cast Resource to integer.
* (T263925) Use the old HookContainer to set up the post-reset services.
* Change \"site cache\" to just \"cache\" in the right-purge message.
* [UploadedFileStreamTest] Skip test with chmod.
* (T269710) Updating composer/semver (1.5.1 => 1.7.2).
* (T269710) Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0).
* (T260631, T260633), BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database.
* (T265778) Fix English/
*nix specific error messages in FSFileBackend.
* (T267543) Split dropping of image.img_user_timestamp.
* [FileTest] Do not assume /tmp exists on windows.
* Clean up temp files correctly after unit tests.
* Skip undo related phpunit tests when diff3 is missing.
* (T269964) rdbms: Remove outer parentheses in insert query for Postgres.
* (T263911) In MWExceptionHandler::report(), catch all throwables.
* (T268894, CVE-2020-35474) SECURITY: Use Html::element in ChangeListSpecialPage for sanity.
* (T268917) Use Xml::element in SpecialUserrights for sanity.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity.
* (T268938) Fixed mixed escaping in Language::translateBlockExpiry.
* (T263911) UserOptionsManager: don\'t differentiate anons caches.
* (T261260) HeaderCallback: pre-cache request ID.
* Parsoid updated to v0.12.1.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users.
* (T270145) Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP.- Add requires cron, fix missing-dependency-to-cron for cron script /etc/cron.d/mediawiki
* Tue Dec 15 2020 Johannes Weberhofer - New cronjob must run as root
* Mon Dec 14 2020 Arjen de Korte - Extract main version from version
* Mon Dec 14 2020 root - Updated to version 1.35.0 Changelogs:
* https://www.mediawiki.org/wiki/Release_notes/1.35
* https://www.mediawiki.org/wiki/Release_notes/1.34- Don\'t forget to always back up your database before upgrading!- The minimum PHP Version is mow 7.3.19- Replaced mediawiki-1.33-use-localsettings-from-webroot.patch by updated Created mediawiki-1.35-use-localsettings-from-webroot.patch- merged, improved and refactored script files- resolves bnc#1179340
* Fri Dec 11 2020 Arjen de Korte - Put Apache configuration in separate subpackage
* Fri Dec 11 2020 Arjen de Korte - Don\'t Require: mod_php_any as this creates a hard dependency on apache2-prefork (use php-session instead)
* Wed Dec 09 2020 Arjen de Korte - Use system apache rpm macros
* Mon Jul 06 2020 Johannes Weberhofer - Updated to version 1.33.4 Security and maintenance release:
* (T247017) PasswordReset performance improvements.
* The MultiHttpClient code will fallover to non-curl if curl_multi
* is blocked.
* (T250568) Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
* Remove some rotten and out of date documentation.
* (T252311) Improvements to some older SQLite update patches.
* (T240307) Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
* rdbms: Add callback for atomic section cancellation.
* (T191668) NameTableStoreTest::getCallCheckingDb simplification.
* Make NameTableStore use LoadBalancer::getConnectionRef().
* (T224949) NameTableStore: ensure consistency upon rollback.
* (T199474) Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
* (T229461) Update the change_tag table in rebuildrecentchanges.php.
* (T234450) Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf[\'SpecialContributions\'] appropriately.
* (T248947) SECURITY: img_auth.php may leak private extension images into the public cache.
* Thu Apr 02 2020 Johannes Weberhofer - Updated Documentation
* Sun Mar 29 2020 Johannes Weberhofer - Updated to version 1.33.3 Security fixes:
* (T232932) User content can redirect the logout button to different URL.
* (T246602) jquery.makeCollapsible allows applying event handler to any CSS selector.
* Sun Mar 08 2020 Johannes Weberhofer - Updated to version 1.33.2 Changelogs:
* https://www.mediawiki.org/wiki/Release_notes/1.34
* https://www.mediawiki.org/wiki/Release_notes/1.33
* https://www.mediawiki.org/wiki/Release_notes/1.32- Refactored the maintenance scripts which are now installed in /usr/bin. The scripts have been renamed to mediawiki-update.sh and mediawiki-makealias.sh- BREAKING CHANGES: Read /usr/share/doc/packages/mediawiki/README.DISTRIBUTION
* Sat Mar 07 2020 Johannes Weberhofer - Renamed scripts and moved the scripts to /usr/bin
* Sat Feb 15 2020 Carsten Ziepke - Updated mediawiki-1.31-use-localsettings-from-web-path.patch. Fix for \"PHP Warning: Use of undefined constant MW_CONFIG_FILE\".
* Sat Dec 21 2019 ecsosAATTopensuse.org- Update to version 1.31.6 This is a security and maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.5 - (T181658) Do not insert page titles into querycache.qc_value. - (T206013) Suppress errors when reading invalid XML file properties. - (T237931) Remove references to pg_attrdef.adsrc in Postgres code. - Use correct value for \'sslmode\' in DatabasePostgres. - (T232866) Fix support for HTTP/2 in MultiHttpClient. - (T227461) Stop calling deprecated Redis delete functions. - (T239561) Mark options as requiring parameters in addSite.php. - (T239734) Replace deprecated lSize with lLen in Redis code. - (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset. - (T239428) ApiEditPage: Test for bad redirect targets. - (T233342) rdbms: Log debug message traces as \'exception.trace\' instead of \'trace\' - (T226751) media: Log and fail gracefully on invalid EXIF coordinates. - (T212067) Work around PHP bug in parse_url.- Changes from version 1.31.5 This is a maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.4 - Fix extra newlines in installer. - Followup T230402, PermissionManager doesn\'t exist until 1.33, so fix the backported patches to use User::isAllowed() instead.
* Sun Oct 13 2019 ecsosAATTopensuse.org- Update to version 1.31.4 This is a security and maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.3 - (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3. - The ImgAuthModifyHeaders hook was added to img_auth.php to allow modification of headers in private wikis. - (T230402) SECURITY: Add permission check for suppressed account to Special:Redirect. - Add helper for HTTPFileStreamer header syntax. - (T118799) Fix XMP parser errors due to trailing nullchar. - (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy. - (T202183) Give more specific error messages on Special:Redirect. - Cache redirects from Special:Redirect. - (T231386) dispatchUser() should use a 302 http status code. - (T227662) Split down patch-comment-table.sql and patch-actor-table.sql into separate files to help allieviate potential migration problems. - Make SQLite\'s patch-add-3d.sql a no-op to prevent clobbering other database updates.
* Wed Jul 31 2019 ecsosAATTopensuse.org- Update to version 1.31.3 This is a maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.2 - (T225558) Update installer link to PHP intl. - (T225496) Detect APC for MainCacheType in CLI installer. - (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies. - (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.- Changes from version 1.31.2 This is a security and maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.1 - (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover. - (T204729, CVE-2019-12473) Passing invalid titles to the API could cause a DoS by querying the entire `watchlist` table. - (T207603, CVE-2019-12471) Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users\' loading that script. - (T208881) blacklist CSS var(). - (T199540, CVE-2019-12472) It is possible to bypass the limits on IP range blocks (`$wgBlockCIDRLimit`) by using the API. - (T212118, CVE-2019-12474) Privileged API responses that include whether a recent change has been patrolled may be cached publicly. - (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. - (T25227, CVE-2019-12466) An account can be logged out without using a token (CSRF). - (T222036, CVE-2019-12469) Exposed suppressed username or log in Special:EditTags. - (T222038, CVE-2019-12470) Exposed suppressed log in RevisionDelete page. - (T221739, CVE-2019-11358) Fix potential XSS in jQuery. - Required PHP version has been increased from 7.0.0 to 7.0.13.
* Thu Nov 29 2018 jweberhoferAATTweberhofer.at- mediawiki-1.31-use-localsettings-from-web-path.patch fixes the handling of locations in our directories- cleaned up spec- cleaned up admin scripts
* Fri Nov 02 2018 ecsosAATTopensuse.org- Update to version 1.31.1 This is a security and maintenance release of the MediaWiki 1.31 branch. Changes since MediaWiki 1.31.0 - (task T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for \'user\' overrides \'newbie\'. - (task T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth\'s account lock. - (task T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files. - (task T197229) Bundle Nuke extension, it was accidentally omitted. - (task T193995) Fix undefined patchPath() method call in parser tests. - (task T198687) Fix various selectFields methods to use the string \'NULL\', not null. - Special:BotPasswords now requires reauthentication. - (task T191608, (task T187638) Add \'logid\' parameter to Special:Log. - (task T193829) Indicate when a Bot Password needs reset. - (task T198037) GitInfo: Don\'t try shelling out if it\'s disabled. - (task T151415) Log email changes. - (task T197206) Fix performance regression when multiple DB used without caching. - (task T197030) PHPSessionHandler: Suppress headers warnings in initialize(). - (task T182377, task T196793) Exif: Guard against uncountable tag values. - (task T200861) Fix total breakage of SQLite web upgrade. - (task T200864) Fix pingback over-reporting on non-MySQL databases - (task T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader hooks.- rebase makealias.sh for apache >= 2.4 and new .htaccess
* Mon Jun 18 2018 ecsosAATTopensuse.org- Update to version 1.31.0 - requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is supported See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.31 (There are too many changes to list here)
* Mon May 28 2018 jweberhoferAATTweberhofer.at- Clean-up spec file- Do no longer require php-ssl- Removed sections for suse < 10.x
* Mon Feb 19 2018 jweberhoferAATTweberhofer.at- Updated dependencies- Update to version 1.30.0 See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.30 Configuration changes:
* The \"C.UTF-8\" locale should be used for $wgShellLocale, if available, to avoid unexpected behavior when code uses locale-sensitive string comparisons. For example, the Scribunto extension considers \"bar\" < \"Foo\" in most locales since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain class names. This is intended for extensions that want control over the instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative to plain class names, using the \'factory\' key in the module description array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T45547) $wgUsePigLatinVariant added (off by default).
* $wgRangeContributionsCIDRLimit was introduced to control the size of IP ranges that can be queried at Special:Contributions. New Features:
* (T163562) Added the ability to search for contributions within an IP range at Special:Contributions. References to revisions made by IPs are stored in the ip_changes table to make querying for ranges more efficient.
* (T37247) Output from Parser::parse() will now be wrapped in a
with class=\"mw-parser-output\" by default. This may be changed or disabled using ParserOptions::setWrapOutputClass().
* Added the \'ChangeTagsAllowedAdd\' hook, enabling extensions to allow software- specific tags to be added by users.
* Added the \'ParserOptionsRegister\' hook to allow extensions to register additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a LanguageConverter variant. This allows English-speaking developers to develop and test LanguageConverter more easily. Pig Latin can be enabled by setting $wgUsePigLatinVariant to true.
* Added the \'RecentChangesPurgeRows\' hook to allow extensions to purge data that depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages. Action API changes:
* (T37247) action=parse output will be wrapped in a
with class=\"mw-parser-output\" by default. This may be changed or disabled using the new \'wrapoutputclass\' parameter.
* When errorformat is not \'bc\', abort reasons from action=login will be formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and returning users and edit comments.
* (T164106) The \'rvdifftotext\', \'rvdifftotextpst\', \'rvdiffto\', \'rvexpandtemplates\', \'rvgeneratexml\', \'rvparse\', and \'rvprop=parsetree\' parameters to prop=revisions are deprecated, as are the similarly named parameters to prop=deletedrevisions, list=allrevisions, and list=alldeletedrevisions. Use action=compare, action=parse, or action=expandtemplates instead. And sereral other changes
* Tue Nov 21 2017 ecsosAATTopensuse.org- Update to version 1.29.2 This is a security and maintenance release of the MediaWiki 1.29 branch. Changes since 1.29.1
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping. (CVE-2017-8808)
* (T165846) SECURITY: BotPassword login attempts weren\'t throttled.
* (T128209) SECURITY: Reflected File Download from api.php. (CVE-2017-8809)
* (T134100) SECURITY: Do not reveal if user exists during login failure. (CVE-2017-8810)
* (T176247) SECURITY: Ensure Message::rawParams can\'t lead to XSS. (CVE-2017-8811)
* (T125163) SECURITY: Make anchor for headlines escape > and <. (CVE-2017-8812)
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit. (CVE-2017-8814)
* (T119158) SECURITY: Handle -{}- syntax in attributes safely. (CVE-2017-8815)
* (T180488) (T125177) \"api.log contains passwords in plaintext\" wasn\'t correctly fixed in all branches in the previous security release. (CVE-2017-0361)
* Thu Oct 12 2017 jweberhoferAATTweberhofer.at- Require php-openssl instead of php-mcrypt- Update to version 1.29.1. Changelog: https://www.mediawiki.org/wiki/MediaWiki_1.29 Configuration changes
* Default cookie expiration time has been reduced to 30 days. Login cookie expiration time is kept at 180 days. $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies.
* Subpages are now enabled by default in the Template namespace. New features
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits from certain IP ranges (e.g. private IPs). Added new magic word {{PAGELANGUAGE}} which returns the language code of the page being parsed. (bug T59603)
* Users can now be assigned to user groups for a limited period of time. See the help page for more information. Action API changes
* Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now an error. They should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed action=clearhasmsg now requires a POST.
* (task T47843) API errors and warnings may be requested in non-English languages using the new errorformat, errorlang, and errorsuselocal parameters.
* API error codes may have changed. Most notably, errors from modules using parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* action=emailuser may return a \"Warnings\" status, and now returns \'warnings\' and \'errors\' subelements (as applicable) instead of \'message\'.
* action=imagerotate returns an \'errors\' subelement rather than errormessage.
* action=move now reports errors when moving the talk page as an array under key talkmove-errors, rather than using talkmove-error-code and talkmove-error-info. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a \"rendered\" property on warnings and errors for each item. Use errorformat=wikitext if you\'re wanting parsed output.
* action=rollback no longer returns a messageHtml property. Use errorformat=html if you\'re wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key \'stasherrors\' rather than a \'stashfailed\' text string.
* action=watch reports \'errors\' and \'warnings\' instead of a single \'error\', and no longer returns a \'message\' on success.
* Added action=validatepassword to validate passwords for the account creation and password change forms. Action API internal changes
* New methods were added to ApiBase to handle errors and warnings using i18n keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated - ApiBase::dieUsageMsg() was deprecated - ApiBase::dieUsageMsgOrDebug() was deprecated - ApiBase::getErrorFromStatus() was deprecated - ApiBase::parseMsg() was deprecated - ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
* result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time being ApiUsageException is a subclass of UsageException to allow things that catch only UsageException to still function properly. If, for some strange reason, code was using an ApiErrorFormatter instead of ApiErrorFormatter_BackCompat, note that the result format has changed and various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips \'apierror-\' and \'apiwarn-\' prefixes from the message key, and maps some message keys for backwards compatibility. Languages updated
* Based as always on linguistic studies on intelligibility and language knowledge by geography, language fallbacks have been expanded.
* No fallback for Ukrainian
* (task T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian language will now use the default fallback language: English. When a translation to Ukrainian is not available, an English string will be shown. Other changes
* wiki.phtml entry point was removed. Refer to index.php instead. If you want \"wiki.phtml\" URLs to continue to work, set up redirects.
* Mon May 15 2017 ecsosAATTopensuse.org- update to 1.28.2 This is a security release of the MediaWiki 1.28 branch. Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did not contain the fix for SyntaxHighlight_GeSHi. This new release does contain that fix.- update to 1.28.1 This is a security and maintenance release of the MediaWiki 1.28 branch. === Changes since 1.28.0 ===
* $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
* Fix fatal from \"WaitConditionLoop\" not being found, experienced when a wiki has more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as \"sensitive\" to keep their values out of the logs.
* (T150044) SECURITY: \"Mark all pages visited\" on the watchlist now requires a CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it\'s fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax\'s link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it.
* Mon Jan 09 2017 ecsosAATTopensuse.org- update to 1.28.0 === Breaking changes ===
* Magic links are now disabled by default. They can be enabled by changing the value of $wgEnableMagicLinks. It has been proposed to remove magic link functionality from MediaWiki in a future release, if you depend upon or use them it is requested that you comment at Requests for comment/Future of magic links. === Changes since 1.28.0rc0 ===
* (T142210) The changes to move the parser \"NewPP limit report\" from a HTML comment to a machine-readable JavaScript config option \'wgPageParseReport\' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData() and getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for the text of subheadings on a category page when creating it. This wasn\'t working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed. === Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now
*required
* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user\'s language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog\'s file upload log comment can now be configured separately for local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ \'local\' ]`, where `\'local\'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as \"Publish page\"/\"Publish changes\"; if false, the default, they will be \"Save page\"/\"Save changes\".
* The \'editcontentmodel\' permission is now granted to all logged-in users (\'user\'). instead of just administrators (\'sysop\'). Documentation for this feature is available at .
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on and explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature\'s reporting. === New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new \'slideshow\' mode for galleries.
* Added a new hook, \'UserIsBot\', to aid in determining if a user is a bot.
* Added a new hook, \'ApiMakeParserOptions\', to allow extensions to better interact with API parsing.
* Added a new hook, \'UploadVerifyUpload\', which can be used to reject a file upload. Unlike \'UploadVerifyFile\' it provides information about upload comment and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to \'uca-default-u-kn\' or \'uca--u-kn\'. If you can\'t use UCA collations, a \'numeric\' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: \"xit\" for days in current month, and \"xiz\" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, \'ApiQueryBaseBeforeQuery\', \'ApiQueryBaseAfterQuery\', and \'ApiQueryBaseProcessRow\', to make it easier for extensions to add \'prop\' and \'show\' parameters to existing API query modules. === External library changes in 1.28 === ==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4 ==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1 === Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape \'<\' and \']]>\' in inline