MediaWiki 1.23.12
18 December 2015
MediaWiki version 1.23.12 is now available (security release).
Upgrading to MediaWiki 1.23.12
MediaWiki 1.23.12 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.23.12 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.23.12
This release fixes six security issues in core.
Security fixes
- (bug T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error
- (bug T119309) SECURITY: Use hash_compare() for edit token comparison
- (bug T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
- (bug T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
- (bug T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
- (bug T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki