MediaWiki 1.27.3
23 May 2017
MediaWiki version 1.27.3 is now available (security release).
Upgrading to MediaWiki 1.27.3
MediaWiki 1.27.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.27.3 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.27.3
MediaWiki 1.27.3:
This is a security release of the MediaWiki 1.27 branch.
- Contains a fix a SyntaxHighlight_GeSHi security flaw.
MediaWiki 1.27.2:
This is a security and maintenance release of the MediaWiki 1.27 branch.
- CSS3 attr() function with url type argument is no longer allowed in inline styles.
- $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
- Better escaping for PHP mail() command
- Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
- Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
- Avoid SQL error on MSSQL when using selectRowCount()
- Fix too long index error when installing with MSSQL.
- $wgRawHtml will no longer apply to internationalization messages.
- CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
- (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
- SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
- SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
- SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
- SECURITY: Escape content model/format url parameter in message.
- SECURITY: SVG filter evasion using default attribute values in DTD declaration.
- SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
- SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
- SECURITY: Sysops can undelete pages, although the page is protected against it.