MediaWiki 1.28.3
22 November 2017
MediaWiki version 1.28.3 is now available (security release).
Upgrading to MediaWiki 1.28.3
MediaWiki 1.28.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.28.3 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.28.3
This is a security and maintenance release of the MediaWiki 1.28 branch.
Security
- (T180231) Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
- (T178451) Potential XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.
- (T165846) BotPassword login attempts weren't throttled.
- (T128209) Reflected File Download from api.php.
- (T134100) Do not reveal if user exists during login failure.
- (T176247) Ensure Message::rawParams can't lead to XSS.
- (T125163) Make anchor for headlines escape > and <.
- (T180237) Protect vendor folder with .htaccess.
- (T180231) Remove PHPUnit file with known RCE if exists in update.php.
- (T124404) XSS in langconverter when regex hits pcre.backtrack_limit.
- (T119158) Handle -{}- syntax in attributes safely.
Bug Fixes
- (T168856) Allow SVGs created by Dia to be uploaded.
- (T157545) Add missing doUpdates() call to refreshLinks.php.
- (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
- (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
- (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
- (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
- (T167798) Fix phrase search and highlighting for phrase queries.
- (T151136) Provide credits information to callbacks in extension registration.
- (T160462) Allow namespaces defined in extension.json to be overwritten locally.
- (T168337) Fix ErrorPageError to work from non-UI contexts.
- (T143788) Backports for PHP 7.0 and 7.1 support.
- (T175439) Unbreak Postgres Updater when setting defaults for a column.
- (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
- (T174255) Declare uploadCount property in importDump.php.