File mediawiki.changes of Package mediawiki

Overview Repositories Revisions Requests Users Attributes Meta

File mediawiki.changes of Package mediawiki

-------------------------------------------------------------------
Tue Oct 15 16:32:48 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.10
  * Fix issue related to backport of AbuseFilter patch for T372998.
- Changes in Mediawiki 1.39.9
  Security and maintenance release
  * Localisation updates.
  * (T303007) skins: Fix Skin::buildSidebar to not share cache
    between skins.
  * (T367918) When using the 'runMaintenance' method in a
    LoadExtensionSchemaUpdates hook handler, only the script's
    class name is required, not its path.
  * Clarify that $wgAllowCrossOrigin only applies to REST.
  * (T370380) installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES
    in update.php.
  * composer.json: Add 5 more ext- to suggests.
  * resources: Fix 404 Not Found for foreign
    Financial-Times/polyfill-library.
  * ResourceLoader: Fix regression of color mapping in Less.php.
  * ResourceLoader: Upgrade wikimedia/less.php to 4.4.1.
  * SpecialExport: Prevent passing null to strtolower.

-------------------------------------------------------------------
Thu Sep 12 05:29:32 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Update mod_php_any requires, php < 8.4.0 is supported

-------------------------------------------------------------------
Sun Jun 30 18:37:44 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.8
  Security and maintenance release
  * Localisation updates.
  * tests: Skip failing tests on php8.2 (and make pass).
  * (T326480) ApiResult: Make array ordering consistent across
    PHP versions.
  * (T352789, T287972) build: Raise TestingAccessWrapper
    from 2.0.0 to 3.0.0.
  * (T326478) tests: Create new classes to hold dynamic properties
    in auth tests.
  * (T326478) tests: Avoid dynamic properties in
    AuthenticationProvider Test.
  * (T326466) Introduce and use DynamicPropertyTestHelper.
  * tests: Skip failing tests on php8.3 (and make pass).
  * (T352910) tests: Use TestingAccessWrapper::newFromClass in
    session tests.
  * (T326478) tests: Avoid dynamic properties in auth tests.
  * (T326479, T361985) StatusValue: Allow passing arbitrary data
    to augment result.
  * tests: Remove dead code from
    WikiPageDbTest::assertPreparedEditNotEquals.
  * (T326478) tests: Avoid dynamic properties in
    SessionManagerTest.
  * (T361990) Upgrading wikimedia/parsoid (v0.16.3 => v0.16.4).
  * (T357760) Use i18n strings for truncated subpage message in
    SpecialMovePage.
  * ArticleTest: Skip testGetOrSetOnNewProperty() if PHP >= 8.2.
  * (T361982) Update wikimedia/less.php from 3.1.0 to 3.2.1.
  * debug: Update PsySH 0.11.1 -> 0.12.3.
  * (T361991) Fix slash-delimited regex from CLI on
    maintenence/grep.php.
  * (T362078) Improve RestAPIAdditionalRouteFiles path expansion.
  * (T352695) tests: Only set $dbSetup if setupTestDB() ends
    without throwing.
  * (T302186) Add title cache for Title::newMainPage().
  * objectcache: Fix flaky WANObjectCacheTest::testLockTSESlow
    case.
  * (T362272) api: Replace null $httpCode by 0 in
    ApiBase::dieWithErrorOrDebug.
  * (T150647, T216682) Make EncryptedPassword work with
    Argon2Password.
  * (T327220) Special:ApiHelp: Move widths and floats in CSS to
    media query.
  * (T364270) Fix long param names overlapping docs in API help
    pages.
  * MaintenanceRunner.php: Add trailing newline to error message.
  * wrapOldPasswords: Improve progress output and decrease
    batch size.
  * (T361367) ApiFeedWatchlist: Fix handling of array parameters.
  * (T132418) ResourceLoader: Add 1min grace via
    stale-while-revalidate Cache-Control.
  * (T366130) EncryptedPassword: Store default parameters
    as strings.
  * Name the PagerTools array entries to allow hooks to
    unset them.

-------------------------------------------------------------------
Sun Apr 21 09:33:38 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.7
  Security and maintenance release
  * Localisation updates.
  * (T334992) Headings in the license pickers should not
    be selected.
  * (T353929) ActiveUsersPager: Count actions only once.
  * composer: Use @php instead of php.
  * (T326065) Indent JsonContent using tabs.
  * (T354541) authmanager: Improve AuthenticationRequest docs.
  * (T355017) Add missing space in Special:RecentChangesLinked.
  * (T355003) composer.json Add ext-bcmath and ext-gmp
    to suggests.
  * PHPVersionCheck: Update text to match currently supported
    upstream PHP versions (8.1+).
  * (T354045) API: mark HTML output as non-cacheable.
  * (T355530) filerepo: Fix img_major_mime for files with a
    non-standard extensions.
  * (T355530) MimeAnalyzer: Add @since to isValidMajorMimeType.
  * (T317489, T319202) Mark some parserTests on talk pages
    Parsoid only on REL1_39.
  * (T350594) Update wikimedia/parsoid to 0.16.3.
  * (T352554) ZhConverter: Fix language variant fallback chain.
  * (T357668) Parser::getExternalLinkAttribs: Don't set rel
    attribute to null.
  * LockManagerGroupIntegrationTest: Remove test depending
    on DBLockManager.
  * (T357808) LinkRendererTest: Add missing import for LinkTarget.
  * (T353305) ApiResetPassword: Allow both user and email
    parameters to be passed for reset.
  * (T358949) updateCollation: Explicitly cast $scale to int.
  * (T359055) api: Improve linking of language codes lists in
    top level i18n messages.
  * (T359294) Make sure MovePage::isValidFileMove matches
    UploadBase::getTitle.
  * (T230245) Respect $maxConcurrency when queuing async FileOps.
  * (T352554) Follow-up "ZhConverter: Fix language variant
    fallback chain".
  * (T292237, T317451) build: Restore Doxygen output for
    MediaWiki release tags.
  * (T324903) HistoryPager: Add #[AllowDynamicProperties].
  * (T360850) Update Apache config syntax in .htaccess files.
  * (T309714, T354274) mime: Add support for 'font/woff' and
    'font/woff2' mime type.
  * (T309714) mime: Make test cases use data provider.
  * (T331608) installer: Bear with schema drift caused by running
    old updater.
  * docs: Remove use of $IP from mwdocgen.php.
  * (T317451) build: Restore Doxygen output for MediaWiki
    release tags (take 3).
  * docs: Set stable permalink on markdown files.
  * (T357019) allow maintenance/deleteBatch.php to accept page ID.
  * (T355538, CVE-2024-PENDING) XSS in edit summary parser.
  * (T357760, CVE-2024-PENDING) Denial of service vector via GET
    request to Special:MovePage on pages with thousands of
    subpages.

-------------------------------------------------------------------
Fri Feb 23 18:12:38 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Use %autosetup macro. Allows to eliminate the usage of deprecated
   %patchN, prepare for RPM 4.20

-------------------------------------------------------------------
Sun Jan 14 11:04:22 UTC 2024 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.6
  Security and maintenance release
  * Localisation updates.
  * Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0.
  * Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0.
  * (T344912) mail: Encode period (ascii 46) if it appears in
    encoded email header.
  * Added symfony/polyfill-php82.
  * Added symfony/polyfill-php83.
  * Updated symfony/yaml from 5.4.10 to 5.4.23.
  * (T329609) ApiQueryLanguageinfoTest: Do not pass a float to
    setFakeTime.
  * Updated wikimedia/timestamp from 4.0.0 to 4.1.1.
  * tests: Provide coverage for StatusValue::__toString.
  * StatusValue: Improve logging/debug output with multibyte
    characters.
  * (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped
    messages used in rights log.
  * Updated wikimedia/parsoid from 0.16.1 to 0.16.2.
  * (T229992) LocalisationCache: Preserve fallback source
    language info.
  * (T275085) Fix logging Status objects to 'authevents' channel.
  * (T341310) DEVELOPERS.md: mention git clone and WSL.
  * (T351758) DEVELOPERS.md: reword WSL instructions to include
    best practices.
  * (T349115) LocalisationCache: Fix a rare case in fallback
    source language.
  * SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null
    to parameter #1 ($string) of type string is deprecated".
  * maintenance: Add missing parenthesis to SQL
    in attachLatest.php.
  * (T353472) maintenance: Fix join condition in
    DeduplicateArchiveRevId.

-------------------------------------------------------------------
Mon Oct  9 05:25:32 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.5
  Security and maintenance release
  * Localisation updates.
  * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
    self-redirects with variants conversion.
  * docs: Fix a few typos in MainConfigSchema.
  * (T309714) mime: Add support for 'font/sfnt' mime type.
  * (T341434) WikiImporter: Improve error message output.
  * (T317255) VueComponentParser: Use Zest's getElementsByTagName()
    rather than PHP's.
  * (T341737) ApiBase: Cast $id to string in filterIDs.
  * (T286291, T296188) Merge zh and zh-tw namespace translations
    back to zh-hans, zh-hant, zh-hk respectively.
  * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the
    nearest integer.
  * (T237898) installer: Check MariaDB version in updater/installer.
  * (T342632) ApiComparePages: Add help url.
  * (T326182, T324903) EditPage: Add #[AllowDynamicProperties].
  * (T342351) rdbms: Fix postgres db function call.
  * (T343675) user: Use {@} to escape annotation when writting
    about annotation.
  * (T343797) LanguageWa: Fix double timezone adjustment.
  * (T326454) Update pear/mail to 1.5.1.
  * (T343622) docs: Set the <comment> tag back to optional.
  * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
  * (T337463) wdio-mediawiki: await saveScreenshot.
  * (T274041) Include core PSR-4 classes in the generated classmap.
  * (T208477) $wgPrivilegedGroups – Users belonging in some of the
    listed groups will be audited more aggressively.
  * doc: Improve description of "type" in extension.schema.v2.json.
  * Added PrivilegedGroups attribute for extension.json / skin.json,
    which lets you add any new user groups you define to 
    wgPrivilegedGroups (see above).
  * HTMLForm: Fix E_NOTICE when hide-if is used with
    setFormIdentifier.
  * (T288624) MultiHttpClient: Unset $this->cmh after closing it.
  * (T345039) Do not run SkinAfterBottomScripts hook twice
    unconditionally.
  * (T265734) API Help: Note that parameters may be inherited from
    other context.
  * API: Make continue parameter help description more specific.
  * (T285545) i18n: Split apihelp for standard dir parameter.
  * (T285545) i18n: Split apihelp for 
    redirects/linkshere/transcludedin/fileusage show.
  * (T285545) i18n: Split apihelp for parameter
    list=deletedrevs&drprop=.
  * (T285545) i18n: Split apihelp for parameter
    list=allpages&apprexpiry=.
  * (T285545) i18n: Split apihelp for parameter
    action=opensearch&redirects=.
  * (T285545) i18n: Split apihelp for parameter
    action=managetags&operation=.
  * (T285545) api: Add message for list=watchlist&wlprop=expiry.
  * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2
    is installed.
  * (T342633) api: Add message for action=compare&prop=timestamp.
  * API: revids=… does not necessarily return the queried revisions.
  * (T326696) user: Truncate option value in UserOptionsManager.
  * (T326696) ApiOptions: Give warning if the value is too long.
  * API i18n: Add {{PLURAL:}} for byte count messages.
  * (T235207) Get correct main page in API call examples.
  * doc: Make extension.schema.v2.json a valid JSON schema.
  * updateSpecialPages.php: Avoid implicit float conversion
    on modulo.
  * (T347227) ImportReporter: Make callback functions public.
  * (T346898) importDump: Unconditionally call
    $importer->setUsernamePrefix().
  * doc: Improve description of type in extension.schema.v1.json.
  * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous
    unescaped messages leading to potential XSS.
  * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022:
    vector-intro-page message is assumed to yield a valid title.
  * (T340221, CVE-2023-PENDING) SECURITY: XSS via 
    'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
  * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser
    ("X intermediate revisions by the same user not shown") ignores
    username suppression.
  * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading
    crafted XML file to Special:Upload (non-standard configuration).

-------------------------------------------------------------------
Wed Jul  5 05:35:42 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.4
  Security and maintenance release
  * Localisation updates.
  * (T333990) composer.json: Explicitly pin psr/http-message to
    1.0.1.
  * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
    (2.4.0 => 2.4.5).
  * (T333776) Template:ACTIVEUSERS wasn't being updated without
    updateSpecialPages.php.
  * (T258860) Prevent LogicCache exception from message cache
    during IO errors from memcache.
  * (T336868) Improve idempotency of postgres index upgrades.
  * (T322944) Add Authorization to default $wgAllowedCorsHeaders.
  * (T332889, CVE-2023-36675) SECURITY: Fix escaping in
    BlockLogFormatter.
  * A fake MessageLocalizer for use in unit tests.
  * (T338114) Title: Add forward alias.
  * composer: Add symfony/polyfill-php81 like
    symfony/polyfill-php80.
  * (T330464) Work around argument corruption bug in
    XMLReader::open.
  * Fix frame and frameless rdfa depending on file existing.
  * Fixes for the phan upgrade, part 1.
  * Fixes for the phan upgrade, part 2.
  * (T298571) build: Update mediawiki/mediawiki-phan-config
    to 0.12.0.
  * build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
  * (T329214) Pass whether current rev of file exists to
    Linker::makeBrokenImageLinkObj.
  * (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
  * A manualthumb that doesn't exist should be considered a
    thumb error.
  * (T313157) IndexPager: Also protect against $offset being 0.
  * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup
    to Linker.

-------------------------------------------------------------------
Fri Mar 31 04:47:38 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.3
  Security and maintenance release
  * Localisation updates.
  * (T225218) LinksUpdate: Use DB key for category links table.
  * GlobalFunctions: Remove check for MEDIAWIKI constant.
  * (T329484) API: Fix query+allimages user parameter description.
  * (T330529) SpecialEditTags: Set default of '' for wpReason.
  * (T330382) postgres: Make the upgrade ignore dropping indexes
    that might not exist.
  * (T330526) htmlform: Handle null from HTMLFormField::getDefault
    in multiselects.
  * (T291753) rdbms: escape backslashes in makeConnectionString
    for PostgreSQL.
  * (T325529) Fix total breakage of wgCanonicalServer fallback.
  * (T318103) mediawiki.storage: Disable async GC during
    integration test.
  * (T332461, T332397) TempFSFile: Keep the WeakMap alive.
  * (T332902) page: fix InvalidArgumentException in
    SQLPlatform::makeList.
  * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to
    untrusted XFF headers.
- Fix some rpmlint warnings

-------------------------------------------------------------------
Sun Mar 19 11:26:11 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.2
  Maintenance release
  * Localisation updates.
  * (T325872) ChangeTags: Remove table name from condition.
  * (T324895) MWCallbackStream: Add explicit $stream property.
  * (T297031, T326039) PostgresUpdater: Move setDefault ahead of
    changeNullableField.
  * (T321319) Produce HTML for invalid JSON.
  * (T215466, T326071) MigrateActors: Write to revision table
    (Follow-up 24115a8).
  * (T223027) ReservedUsernames config: Add reserved names from
    maintenance scripts.
  * (T325000, T324896, T307631) Updated OOUI from v0.44.3
    to v0.44.5.
  * Remove /images .htaccess rules that are no longer relevant.
  * Disable php in .htaccess of images directory as a hardening
    measure.
  * (T322583) Include missing message parameter in message.
  * LocalFileTest: use encodeBlob/decodeBlob for img_metadata.
  * DatabaseSqlite: fix null blobs.
  * rdbms: avoid pg_escape_bytea() call-style deprecation notices.
  * (T322278) Improve LocalisationCache post-merge validation check.
  * (T324408, T326367) Updated wikimedia/remex-html from 3.0.2
    to 3.0.3.
  * (T322278) Fix the remaining Phan failures on PHP 8.1.
  * (T322278, T326367) Respond to some messages from Phan on 
    PHP 8.1.
  * Fix phan error when Excimer is enabled.
  * (T326021) Add matrix: to $wgUrlProtocols.
  * (T314099) stream wrapper: Declare $context class property.
  * (T314099) libs\jsminplus: Declare JSNode::$expression.
  * (T314096) composer.json: Updated composer/spdx-licenses from
    1.5.6 to 1.5.7.
  * (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1).
  * (T308536) rdbms: Remove deprecation mark for $wgSharedDB.
  * (T215466, T326071) installer: Split drop action out of the SQL
    patch for actor migration.
  * (T322603) SqliteMaintenance.php: Fix fatally broken instanceof
    check.
  * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder.
  * api/en.json: api-help-datatype-expiry add missing 'may'.
  * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect
    code.
  * (T328222) Pass empty string to strlen() if schema is null for
    PostgresDatabase.
  * (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
  * (T155582, T328503) Fix XML dumps for content types with
    non-string getNativeData().
  * (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being
    released.
  * (T314099) revisiondelete: Replace dynamic property
    Status::$itemStatuses
  * (T327821) skin: Restore default 'value' attribute in
    makeSearchButton().
  * (T329198) ParamValidator: Improve paramvalidator-help-multi-max
    message.
  * (T329415) Clear the statsd data buffer regardless of
    StatsdServer config.
  * (T292348) WikiImporter: do not fail if upload entry in dump
    lacks 'text' tag.
  * (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if
    no path.
  * (T324894 TempFSFile: Use a WeakMap for reference tracking
    if available.
  * (T295637) Add no to fallback chain of nb and nn.

-------------------------------------------------------------------
Sat Dec 24 06:32:21 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.1
  Security and maintenance release
  * Localisation updates.
  * PostgresUpdater: Remove trailing space from 'user_id ' column.
  * (T304515) LCStoreStaticArray: atomically replace the cache file.
  * (T324516) postgres: Fix upgrade for templatelinks primary key.
  * (T324890, T324891, T324901) Parser: Allow dynamic properties
    on PHP 8.2.
  * (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists.
  * (T314099) OutputPage: Remove unused dynamic property
    ParserOptions->isBogus.
  * (T314099) api: Remove use of undeclared property in
    action=comparepages.
  * Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6).
  * (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1).
  * Updated pear/mail (v1.4.1 => v1.5.0).
  * Removed wikimedia/dodo (v0.4.0).
  * (T324910) On pages using multi-content revisions, the raw
    content of a specific slot can be retrieved using the
    action=raw&slot=<role-name> query parameters.
  * (T322637) SECURITY: sqlite should not create DB file
    world-readable.

-------------------------------------------------------------------
Sun Dec  4 07:13:30 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.39.0
  * MediaWiki 1.39 is an LTS and is due to be supported until the
    end of November 2025.
  * Please visit and read before update:
    https://www.mediawiki.org/wiki/Release_notes/1.39
- Update Requires to php > 7.4.3 and < 8.2.0
- Rebase and rename mediawiki-use-localsettings-from-webroot.patch

-------------------------------------------------------------------
Fri Sep 30 15:07:49 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>
- Update to Mediawiki 1.37.6
  Maintenance release
  * Fix missing use statement from backport of fix for T307278.
- Changes in Mediawiki 1.37.5
  Security and maintenance release
  * Localisation updates.
  * (T312519, T312520) Parser::extensionSubstitution() Don't run
    substr() on null.
  * (T287564) populateInterwiki: Include not null columns
    iw_api/iw_wikiid.
  * (T312302) SpecialRedirect: Don't pass null to explode.
  * RemoveInvalidEmails: Fix quoting for postgres.
  * (T312678) import: UploadSourceAdapter::stream_read() don't
    pass null to strlen().
  * (T312300) SpecialDiff: Don't pass null to explode().
  * (T312680) parser: Fix CoreParserFunctions::urlencode() null
    coalescence $arg.
  * (T289926) Handle null passed to wfShorthandToInteger()
    and Html::element().
  * (T289926) Ensure that strlen() does not get passed a
    (valid) null.
  * (T312301) SpecialDiff: Don't pass null to trim().
  * Hooks: Use more meaningful name for SkinAfterPortlet hook
    parameter.
  * (T289926) Ensure we don't pass null to mb_strlen.
  * (T312305, T311572, T311571, T311578) HtmlForm: Null
    coalescence in trim() calls.
  * (T289926) site: Consistently return null from
    Site::getDomain().
  * (T307304, T289879) filebackend,jobqueue: Add signature for
    FilterIterator::accept().
  * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test
    mock for PHP 8.1.
  * Add application/vnd.ms-opentype to MIME list.
  * Allow composer/installers plugin in composer.json.
  * Change type hints for BatchRowIterator and NotRecursiveIterator
    for compatibility with PHP 8.1.
  * (T313663) [php8.1] Change override of $wgResourceBasePath for
    CSP tests.
  * (T313663) parser: Mock WikiPage::getContentModel in
    ParserCacheTest to fix php8.1.
  * (T313663) [php8.1] Make WikiImporterFactoryTest use better
    mock for ImportSource.
  * Fix tests so getName() doesn't return null.
  * (T313663) [php8] Don't use strlen on potentially null string.
  * (T313663) [php8.1] Suppress test warning about providing null.
  * (T313663) Parser will use current timestamp instead of null
    if passed a RevisionRecord that does not have a timestamp.
  * (T313663) Add explicit null check for $sha in FileBackend
    [php8.1].
  * (T313663) LogFormatter: Cast argument of ctype_digit to string
    [php8.1].
  * (T313663) Mock UserOptionsManager::getOption for php8.1.
  * (T289879, T289926) Get rid of warnings on PHP 8.1.
  * (T313663) Check for null return of preg_replace in
    MediaWikiTitleCodec.
  * (T313663) cast db name to string when checking if it is read
    only [php8.1].
  * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo
    [php 8.1 compat].
  * Fix a couple deprecation warnings in the installer under
    PHP 8.1.
  * (T313663) Use default timezone UTC for SpecialWatchlistTest
    [php 8.1].
  * (T313663) Mock User::getTitleKey in SpecialPreferencesTest
    [php 8.1].
  * (T314096) Migrate use of ${var}-style string interpolation.
  * (T314099) preprocessor: Add missing field declarations.
  * (T313663, T313662) Make default value for optional args
    {{PAGESINCAT:..}} be '' not null.
  * (T314225) SpecialCategories: Null coalescene $par.
  * (T314099) User: Allow dynamic properties on PHP 8.2.
  * (T314397) SpecialBlock: Better handle null in
    getTargetUserTitle.
  * (T314099) phpunit: Fix trivial dynamic property usages
    in tests.
  * (T314405) UploadStash: Check if us_prop is set in the
    fileMetadata.
  * (T313663) Make ChangesListSpecialPageTest cast to string
    for php 8.1.
  * (T313663) Do not test giving a null fragment to
    Title::makeTitle.
  * (T314550) SpecialMergeHistory: Set timestamp to '' if no
    mergepoint.
  * (T314551) SpecialMergeHistory: Set defaults for target and
    dest parameters.
  * api: Add rel=nofollow to help examples.
  * (T307613) Validate length of user email on
    Special:ChangeEmail/Special:CreateAccount.
  * (T314226) LoginSignupSpecialPage: Check if $value is a string
    before length.
  * (T314824) tests: Update parser test after i18n change.
  * (T295958, T278847) MediaWiki-Docker: Switch PHP images to
    PHP7.4.
  * (T314906, T314907) SpecialBlock: Set defaults for
    wpPageRestrictions and wpNamespaceRestrictions.
  * (T315309) ImportStreamSource::newFromURL() Prevent passing
    null to fwrite.
  * (T315892) composer.json: Pin phpunit to 8.5.28.
  * (T313049) Bump wikimedia/parsoid to v0.14.2.
  * (T317750) session: Fix broken SessionTest case due to PHPUnit
    dependency change.
  * (T318079) SpecialEditTags: Set default value of wpTagsToRemove
    to empty array.
  * (T318460) SpecialChangeEmail: Set default for returntoquery.
  * (T318307) Update docs for HTMLFormField::validate() to permit
    all data types.
  * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't
    update results in an IP range check on Special:Contributions.
  * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes
    existence of hidden users.
  * (T307278, CVE-2022-41766) SECURITY: On action=rollback the
    message "alreadyrolled" can leak revision deleted user name.

-------------------------------------------------------------------
Sat Jul  9 17:02:25 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.37.4
  Maintenance release
  * Localisation updates.
  * (T311568) UploadBase::setTempFile() handle $tempPath being
    passed as null.
  * (T311559) SpecialListFiles: user parameter isn't always present.
  * (T311561) ImageListPager: Don't call htmlspecialchars() on null.
  * (T311920) SpecialBlockList: Prevent passing null to trim().
  * (T311921) SpecialUserrights: Don't pass null to str_replace.
  * (T311570) SpecialWithoutInterwiki: Don't pass null through to
    Title::capitalize().
  * (T311574, T311576) SpecialLinkSearch: Don't pass null through
    to the parser.
  * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
  * (T296435, T297669) cache: Add four fields to
    LinkCache::getSelectFields.
- Changes since Mediawiki 1.37.3
  Security and maintenance release
  * Localisation updates.
  * (T289879) Type hints for ArrayAccess and JsonSerializable.
  * (T304783) TemplateParser: avoid warnings when called by
    NoLocalSettings.
  * Rebuilt vendor with composer 2.3.3.
  * Fix old_name in UserLogoutComplete hook.
  * (T289879) Address some deprecations for PHP 8.1.
  * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup()
    deferred update.
  * (T309114) LocalFile::prerenderThumbnails: Limit the number of
    thumbnail jobs triggered.
  * (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
  * (T308471) SECURITY: Escape welcomeuser message passed to
    showSuccessPage().
  * (T308473) SECURITY: Escape contributions-title msg for use
    within page title.
  * (T311272) Call parent constructor of AddSite maintenance
    script first.
  * MediaWiki: Don't eagerly initialize action name.
  * Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
  * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0
    to 7.4.5.
  * (T289926) Avoid passing null to trim() in SkinTemplate.
  * (T311473) rollbackEdits: Pass user identity to RollbackPage.
  * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
  * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key
    is null.
  * (T311552) ChangesListSpecialPage: Don't pass null to
    FormatJson::decode().
  * (T311569) FileBackend::isStoragePath() Handle being passed null.
  * (T311544) Pass int to ApiUsageException::newWithMessage()'s
    $httpCode param.
  * (T311678) SpecialEditWatchlist: Prevent passing null to
    strtolower().
  * (T281741) ChangeTags: Fix adding CSS classes for hidden tags.
  * (T296642) changetags: Fix management of a '0' tag.
  * (T311554) ChangeTags: Return early in formatSummaryRow() if
    $tags === null.
  * (T303033) Handle null in ChangeTags::modifyDisplayQuery.
  * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.

-------------------------------------------------------------------
Sun Apr 10 06:11:51 UTC 2022 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.37.2
  Security and maintenance release
  * (T298261) Fix support for Composer 2.2.
  * (T298283) composer.json: Add wikimedia/composer-merge-plugin
    to allow-plugins.
  * Update doctrine/dbal (3.0.0 => 3.1.5).
  * (T296898) Add entry point name to disabled Session exception
    if possible.
  * (T298564) MemcachedClient: Add support for IPv6.
  * (T297543, CVE-2022-28202) SECURITY: properly escape output used
    within galleries and Special:RevisionDelete.
  * (T289956) WatchAction: Fix bug that prevents showing proper
    success message in the noscript fallback mode.
  * (T268847) Suppress deprecation warnings from
    libxml_disable_entity_loader().
  * (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest.
  * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
  * (T275673) objectcache: Avoid getCurrentTime() call in
    MapCacheLRU::has().
  * (T275673) objectcache: split up MapCacheLRU::getAge() to avoid
    conditional overhead.
  * Fix the json schema and the extension processor for Parsoid
    extension modules.
  * (T299696) update.php: Avoid passing null to substr.
  * (T195807, T256401) Fix signature of
    DatabasePostgres::buildGroupConcatField.
  * In PHP 8.1 don't throw exceptions from mysqli.
  * (T289926) SiteConfiguration: Don't pass null to str_replace().
  * (T264735) Fix deprecation warning from CURLPIPE_HTTP1.
  * (T260735) Stop using is_resource() where possible.
  * (T289879) Apply ReturnTypeWillChange to various implementations
    of built in interfaces.
  * (T299312) Implement __serialize/__unserialize for
    PHP 8.1 support.
  * ExtensionRegistry: Add process cache for lazy attributes.
  * (T301041) ApiPageSet: Add "missing": true to missing revisions.
  * Allow ParsoidModules extension schema to register services.
  * (T300462) SpecialUndelete: Do not show empty comments
    as deleted.
  * (T297708) Allow setting max execution time to several
    special pages.
  * (T205349) LinkCache: Try invalidating cache before throwing.
  * (T302540) composer.json: Add ext-calendar to require.
  * (T302540) composer.json: Add ext-simplexml to require-dev.
  * (T302540) composer.json: Add various PHP extensions to suggests.
  * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
  * (T304008) Don't re-check "Move subpages" on Special:MovePage
    after a warning.
  * (T293576) listFiles: Display file name instead of version.
  * (T303871) Fix @since of Title::getId().
  * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
  * wrapOldPasswords: add \n to two output calls.
  * (T297571, CVE-2022-28201) Title::newMainPage() goes into an
    infinite recursion loop if it points to a local interwiki.
  * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki
    with many file uploads with actor as a condition can result
    in a DoS.
  * (T297754, CVE-2022-28204) Special:WhatLinksHere can result in
    a DoS when a page is used on a extremely large number of other
    pages.

-------------------------------------------------------------------
Sun Dec 19 11:19:59 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.37.1
  Security and maintenance release
  * (T296112) Allow inserting new sections named '0'.
  * Fix path for ZhConversion.php.
  * nukeNS: don't run purgeRedundantText() after every change.
  * (T286779, T297031) installer: Fix Postgres mistakes in using
    changeField method.
  * (T225888) RollbackAction: fix missing pagetitle.
  * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix
    permissions checks in undo actions.
  * (T297574, CVE-2021-45038) SECURITY: Fix permissions check
    in action=rollback.
  * (T34716, T297416) SECURITY: Require 'read' right for most
    actions.
  * (T271037, CVE-2021-44856) SECURITY: Fix use of
    EditFilterMergedContent hook when changing content model.

-------------------------------------------------------------------
Fri Nov 19 11:36:11 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Update to Mediawiki 1.37.0
  Read the full release notes at
  https://www.mediawiki.org/wiki/Release_notes/1.37

-------------------------------------------------------------------
Sun Oct 10 18:32:02 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>

- Update to Mediawiki 1.36.2
  Security and maintenance release
  * Don't access MWServices prematurely in Maintenence.php.
  * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode.
  * Installer: Fix foundation.wikimedia.org link in
    config-pingback-help.
  * (T283273) Make postgres IRC channel point to libera.chat.
  * composer.json: Promote and pin monolog/monolog to require
    from require-dev.
  * (T287526) JavaScriptMinifer: Recognize `...` as a single token.
  * (T287526) Update wikimedia/minify to 2.2.4.
  * (T289108) ExtensionProcessor: Remove loaderScripts from
    extension.json schemas.
  * (T281549) Installer: Fix mediawiki-announce auto subscription
    code.
  * FormatJson: Optimize encode() for supported PHP versions.
  * (T290398) renameRestrictions.php: Update protected_titles
    as well.
  * (T290489) objectcache: Fix PHP warning for
    ReplicatedBagOStuff::setMulti.
  * $wgMimeTypeBlacklist - This configuration array now prohibits
    the RFC 4329 form of JavaScript, 'application/javascript',
    as well as previous MIME types.
  * (T51097, T290273) resourceloader: Call getStyleFiles from
    FileModule::getFileHashes.
  * (T277788) parser: Avoid calling ParserOptions::getOption()
    too many times.
  * (T291244) Unserialize objects in ParserCache->mExtensionData
    as objects.
  * MysqlUpdater: Add updatelog entries for dropDefault.
  * (T290776) Fix $phase check in OutputHandler.
  * The wikimedia/parsoid library has been upgraded from v0.13.0
    to v0.13.1.
  * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in
    Special:Search.
  * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause
    a full table scan.
  * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection
    of Special:Contributions.

-------------------------------------------------------------------
Fri Jun 25 05:32:16 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Update to Mediawiki 1.36.1
  Security release
  * (T283942) DatabaseInstaller.php: Only run core schema file if specified table
    doesn't already exist.
  * (T247223) Optimise MessageCache::isMainCacheable() for the single-message
    case.
  * (T283244) JavaScriptMinifer: Fix handling of "delete" as object property.
  * (T284391) Fix SkinModule to correctly prepend remote path on document root
    installs.
  * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
  * (T278579) Don't send headers on ob_end_clean().
  * (T285287) MultiHttpClient: Replace PHP version check with defined().
  * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.

-------------------------------------------------------------------
Fri Jun  4 12:36:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Update to version 1.36.0
  * Upgrade notes
    - MediaWiki 1.36 now requires the PHP internationalization extension
      (commonly referred to as Intl, ext-intl, or php-intl).
    - The MediaWiki:Autoblock_whitelist block exemption control has been 
      moved to MediaWiki:Block-autoblock-exemptionlist. If you use this 
      feature, please move the MediaWiki:Autoblock_whitelist page.
    - (T275334) $wgExtensionFunctions is sometimes used to change 
      configuration settings. This is not safe; extension functions are 
      run relatively late, some services are already initialized by that 
      point and so they use the old configuration. Changes in 1.36 make 
      this kind of breakage even more common. You can use the 
      MediaWikiServices hook instead. (In the future there might be a 
      dedicated hook for configuration changes.)
    - The MediaWiki update script, maintenance/update.php, used to accept 
      `--nopurge` as an option to prevent clearing caches stored in the 
      database during upgrade. This is no longer encouraged, and the option 
      has been removed.

* New features
    - The logo of MediaWiki has changed. This means that the "Powered By 
      MediaWiki" button shown in the skin footer will be different.
    - All HTML5 named entities are now accepted in wikitext.
    - (T106263) The file description page's alternate sizes now include 2048px.

* Action API changes
    - `Access-Control-Max-Age` was added to the default list of headers allowed
       for cross-origin API requests ($wgAllowedCorsHeaders).
    - Accounts with the 'bot' right no longer have pages automatically added 
      to the watchlist when making API edits, regardless of their preferences. 
      This is to reduce the size of the watchlist data in the database. 
      To add API bot edits to the watchlist, explicitly set the 'watch' option.

* New configuration options

- (T256001) $wgManualRevertSearchRadius – This setting controls a new
      feature that marks edits as reverts if they restore the page to an exact
      previous state. This configuration variable sets the maximum number of
      revisions of a page that will be checked against every new edit. Set this to 0
      to disable the feature entirely.
    - (T244058) $wgOldRevisionParserCacheExpireTime — This setting was added to
      control caching of ParserOutput for old (non-current) revisions.
    - (T265263) $wgRememberMe - This setting configures the "remember me"
      checkbox on account log-in systems via RememberMeAuthenticationRequest.
    - (T157145) $wgSkinMetaTags – This setting lets sysadmins configure skins
      that support meta tags. These tags make sharing of MediaWiki pages on a
      variety of social platforms more contentful and thus useful.
    - (T280944) $wgIncludejQueryMigrate - This setting lets sysadmins disable
      the jQuery Migrate plugin. It has been enabled by default since MediaWiki
      1.27. In future releases it will be disabled by default.

* Changed configuration options
    - $wgLogos – This setting selects the logo shown on the site. The default
      value for the site logo, which is shown in an install if you have not set
      one, will now be the new logo of MediaWiki.
    - (T274695) $wgAjaxEditStash — This setting, to disable the edit stashing
      feature when users start writing an edit summary, has been deprecated. In
      future releases, this feature will always be enabled.
    - $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand
      media scaling, was deprecated. Use the `thumbProxyUrl` setting in
      $wgLocalFileRepo instead.
    - $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been
      renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical
      respectively. The former configuration variable names are deprecated, but will
      be used as the fall back if they are still set, and remain temporarily
      available for extensions which try to read them.
    - $wgWANObjectCaches - The "coalesceKeys" option was removed without
      deprecation and replaced by a new "coalesceScheme" option, set to
      "hash_stop" by default. If you use Dynomite, then set the new "coalesceKeys"
      option to "hash_tag". The "cluster" and "mcrouterAware" options were also
      removed without deprecation. Use "broadcastRoutingPrefix" instead.

* Removed configuration options
    - $wgUseTwoButtonsSearchForm — This setting, deprecated in 1.35, has been removed.
    - $wgAllowImageMoving — This setting, deprecated in 1.35, has been removed.
       Use group permission settings instead. For example, to prevent sysops from
       moving files, set $wgGroupPermissions['sysop']['movefile'] = false;`
    - $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields,
      $wgExtPGAlteredFields, $wgExtModifiedFields — These settings were removed. They
      became obsolete after 1.17 overhauled the database updater, but were kept for
      backwards compatibility. The LoadExtensionSchemaUpdates hook should be used
      instead.
    - $wgParserConf - This setting, deprecated in 1.35, has been removed. The
      last use of this setting was for pre-processor configuration, which was
      deprecated in 1.34 and removed in 1.35.
    - $wgEnableRestAPI - This setting, ignored since 1.35, has been removed.
    - $wgPagePropsHaveSortkey – This temporary setting has been removed, along
      with the schema change upgrade path it controlled. If your site is still using
      it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24,
      you must now apply it before upgrading.
    - The deprecated password policies PasswordCannotMatchBlacklist and
      PasswordNotInLargeBlacklist were removed. Please use
      PasswordCannotMatchDefaults and PasswordNotInCommonList respectively instead.

-------------------------------------------------------------------
Wed Apr 21 10:48:28 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Update to version 1.35.2
  * (T270450) The confusingly-named User->isLoggedIn() method has been
    deprecated in favour of the method it wraps, User->isRegistered().
  * Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support.
  * Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support.
  * Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support.
  * (T270734) Fix display of Special:Preferences URL in password reset email.
  * (T252774, T271441) resourceloader: Give SkinModule 'features' option an extensible default.
  * (T271441) Unknown features shouldn't break style output.
  * (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0.
  * DefaultSettings.php: Update $wgPingback documentation.
  * Fix docs for LanguageConverter::translate.
  * (T272250) Don't rely on implicit string->int cast in comparison.
  * (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine.
  * (T272328) UploadBase: Don't call MimeAnalyzer if mTempPath is null.
  * Remove nonfunctional default sampling for WANObjectCache metrics.
  * (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook.
  * (T270852) Hooks: Map dash character to underscore when generating hook names.
  * (T271551, T270145) Fix fetching ipblock-exempt within BlockManager::getUserBlock.
  * PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
  * (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests.
  * (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs.
  * (T248925) Special:Contributions reports negative namespace error on PHP 8.
  * (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8.
  * (T248925) Fix CacheTime::getCacheExpiry for PHP 8.
  * (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking.
  * (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of SQLite write lock.
  * (T272326) Fix DeprecationHelperTest on PHP 8.
  * Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support.
  * (T236639) OutputPage: Make $wgDebugRedirects work again.
  * (T274648) registration: Allow reusing cached metadata between wikis.
  * CdnCacheUpdate: Send full URL instead of path to Curl for purge.
  * Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support.
  * FileBackend: Do not use SOCKET_ENOENT on windows.
  * (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once.
  * (T275261) Escape wikitext in the title in invalid title error messages.
  * (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL.
  * (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above minimum.
  * (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support.
  * (T269293) Record all used options in metadata.
  * Allow usage of Composer 2.0 to install MediaWiki's dependencies.
  * (T259872) skins: Call headElement() after getTemplateData() in SkinMustache.
  * (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens.
  * (T272412) Add "Account data" section to user preferences.
  * (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
  * (T277520) registration: Allow specifying immovable namespaces in extension.json.
  * (T275619) Maintenance::hasOption and Maintenance::getOption now behave
    as documented and are not altered by previous calls to these methods.
  * (T254688) Remove page inner join from subquery in SpecialWhatLinksHere.
  * (T122124) signup: added help message for security.
  * (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles.
  * (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages.
  * (T277414) HTMLFormField: Use non namespaced class name rather than static::class.
  * (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php for page_namespace below 0.
  * (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8.
  * (T268230) Switch to new MediaWiki logo by Serhio Magpie.
  * (T271735) Expand config-pingback-help, link to privacy policy in config-pingback.
  * Fix documentation of user-global in $wgRateLimits.
  * BackupDumper: Add -o as shortcode for --output.
  * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
  * (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect.
  * (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move.
  * (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user cancreate pages.
  * (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.

-------------------------------------------------------------------
Sun Feb 21 09:23:23 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Fixed invocation of upgrade script
- Hard-Code main version - scripts don't work nicely with osc

-------------------------------------------------------------------
Sun Feb 21 08:26:23 UTC 2021 - Carsten Ziepke <kieltux@gmail.com>

- Update to version 1.35.1
  * (T263929) purgeList.php Fix all-namespaces option to match one
    used in code.
  * (T248719) ParserCache::get - fix wfDeprecated call.
  * (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown
    after hitting Tab.
  * Preload mediawiki.watchstar.widgets before api request.
  * (T261030) ApiEditPage: Show existing watchlist expiry if status
    is not being changed.
  * (T264502) Fix PHP 8 compat with strcspn() $length parameter
    exceeding string.
  * (T248925) Remove final modifier on private function.
  * (T264683) Remove ipb_anon_only from ipb_address_unique index
    addition.
  * (T261415) Add days left messages to changes-lists' clock icons.
  * Fix order of wfDeprecated parameters in
    ExternalStoreDB::getSlave.
  * (T261260) Preload class used in HeaderCallback.
  * (T260868, T260009) Normalize WatchedItem expiry field.
  * (T264683) Remove doTable check from
    (Mysql|Sqlite)Updater::indexHasFields.
  * (T264534) ApiPageSet: Avoid infinite loop when merging
    redirects.
  * (T196906) Empty Monolog loggers are now real blackholes.
  * (T258649) WatchAction: avoid UPDATE when old and new watch
    period is indefinite.
  * Parser: Adjust typehint to show that getTitle can return null.
  * (T263592) media: Fix case of FlashPixVersion in 
    FormatMetadata::makeFormattedData().
  * (T265223) BaseTemplate: Guard against passing zero arg to
    array_merge().
  * (T264965) Fix base path handling for MessagePosterModule
    registration.
  * (T252183) Fix Database::getTempTableWrites for multi table
    DDLs.
  * (T182546) Fix switch/case indentation per mediawiki coding
    conventions.
  * Flip Yoda conditionals.
  * (T263213) Move SkinTemplate::getFooterLinks() to Skin.
  * build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
  * (T267105) Make ImageBuilder::checkMissingImage public.
  * Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
  * (T266681) Support new style hook registration on install
    and update.
  * (T266980) Fix unsetting of copyright icon in FooterIcons.
  * upload.js: Don't assume that warnings array will include
    'code' key.
  * upload.js:  Fix typo in upload API.
  * (T264333, T190988, T266903) Pass along ignorewarnings param
    to all individual chunks being uploaded.
  * (T267558) importTextFiles.php: Replace deprecated 
    WikiRevision:setText().
  * (T266418) composer.json: add requirement for 
    composer-plugin-api ^1.1.
  * (T261431) Add ARIA attributes to watchlink and its
    notification.
  * (T258877) Change invalid 'Content-Encoding: none' header.
  * Fix trailing ; in patch-sites-site_language-35.sql.
  * (T248852) wfAssembleUrl: Handle empty query field in URL bits.
  * (T268846) Updating wikimedia/testing-access-wrapper
    (1.0.0 => 2.0.0).
  * (T268887) migrateComments: Cast array keys back to string
    before passing to the DB.
  * (T266619) Introduce new $wgThumbPath config.
  * (T269178) MemcachedClient: Cast Resource to integer.
  * (T263925) Use the old HookContainer to set up the
    post-reset services.
  * Change "site cache" to just "cache" in the right-purge
    message.
  * [UploadedFileStreamTest] Skip test with chmod.
  * (T269710) Updating composer/semver (1.5.1 => 1.7.2).
  * (T269710) Updating mediawiki/mediawiki-codesniffer
    (33.0.0 => 34.0.0).
  * (T260631, T260633), BotPassword::save() now returns a Status
    object for the result rather than a bool. The length of the
    bot password grants and restriction fields are now validated,
    and an error will be thrown if it would be truncated by
    the database.
  * (T265778) Fix English/*nix specific error messages in
    FSFileBackend.
  * (T267543) Split dropping of image.img_user_timestamp.
  * [FileTest] Do not assume /tmp exists on windows.
  * Clean up temp files correctly after unit tests.
  * Skip undo related phpunit tests when diff3 is missing.
  * (T269964) rdbms: Remove outer parentheses in insert query
    for Postgres.
  * (T263911) In MWExceptionHandler::report(), catch all throwables.
  * (T268894, CVE-2020-35474) SECURITY: Use Html::element in 
    ChangeListSpecialPage for sanity.
  * (T268917) Use Xml::element in SpecialUserrights for sanity.
  * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass
    escaped html to LogFormatter::makePageLink for sanity.
  * (T268938) Fixed mixed escaping in
    Language::translateBlockExpiry.
  * (T263911) UserOptionsManager: don't differentiate anons caches.
  * (T261260) HeaderCallback: pre-cache request ID.
  * Parsoid updated to v0.12.1.
  * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility
    of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
  * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for
    contributions and user pages of hidden users and missing users.
  * (T270145) Fix condition that can lead to using APCOND_BLOCKED
    in $wgAutopromote to cause an OOM in PHP.
- Add requires cron, fix missing-dependency-to-cron for cron
  script /etc/cron.d/mediawiki

-------------------------------------------------------------------
Tue Dec 15 17:12:36 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- New cronjob must run as root

-------------------------------------------------------------------
Mon Dec 14 16:52:16 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

- Extract main version from version

-------------------------------------------------------------------
Mon Dec 14 14:06:30 UTC 2020 - root <root@vie.weberhofer.at>

- Updated to version 1.35.0
  Changelogs:
  * https://www.mediawiki.org/wiki/Release_notes/1.35
  * https://www.mediawiki.org/wiki/Release_notes/1.34

- Don't forget to always back up your database before upgrading!

- The minimum PHP Version is mow 7.3.19

- Replaced mediawiki-1.33-use-localsettings-from-webroot.patch by updated
  Created mediawiki-1.35-use-localsettings-from-webroot.patch
  
- merged, improved and refactored script files

- resolves bnc#1179340

-------------------------------------------------------------------
Fri Dec 11 10:49:14 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

- Put Apache configuration in separate subpackage

-------------------------------------------------------------------
Fri Dec 11 09:23:02 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

- Don't Require: mod_php_any as this creates a hard dependency on
  apache2-prefork (use php-session instead)

-------------------------------------------------------------------
Wed Dec  9 19:04:21 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

- Use system apache rpm macros

-------------------------------------------------------------------
Mon Jul  6 06:47:55 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Updated to version 1.33.4
  Security and maintenance release:
  * (T247017) PasswordReset performance improvements.
  * The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked.
  * (T250568) Work around change in SimpleXMLElement behavior introduced in PHP 7.3.17.
  * Remove some rotten and out of date documentation.
  * (T252311) Improvements to some older SQLite update patches.
  * (T240307) Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
  * rdbms: Add callback for atomic section cancellation.
  * (T191668) NameTableStoreTest::getCallCheckingDb simplification.
  * Make NameTableStore use LoadBalancer::getConnectionRef().
  * (T224949) NameTableStore: ensure consistency upon rollback.
  * (T199474) Set rc_patrolled to 2 for autopatrolled changes in rebuildrecentchanges.php.
  * (T229461) Update the change_tag table in rebuildrecentchanges.php.
  * (T234450) Per-user concurrency in SpecialContributions can now be limited by setting $wgPoolCounterConf['SpecialContributions'] appropriately.
  * (T248947) SECURITY: img_auth.php may leak private extension images into the public cache.

-------------------------------------------------------------------
Thu Apr 02 14:58:06 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Updated Documentation

-------------------------------------------------------------------
Sun Mar 29 07:02:06 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Updated to version 1.33.3
  Security fixes:
  * (T232932) User content can redirect the logout button to different URL.
  * (T246602) jquery.makeCollapsible allows applying event handler to any CSS selector.

-------------------------------------------------------------------
Sun Mar  8 21:45:23 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Updated to version 1.33.2
  Changelogs:
  * https://www.mediawiki.org/wiki/Release_notes/1.34
  * https://www.mediawiki.org/wiki/Release_notes/1.33
  * https://www.mediawiki.org/wiki/Release_notes/1.32

- Refactored the maintenance scripts which are now installed in /usr/bin.
  The scripts have been renamed to mediawiki-update.sh and mediawiki-makealias.sh

- BREAKING CHANGES:
  Read /usr/share/doc/packages/mediawiki/README.DISTRIBUTION

-------------------------------------------------------------------
Sat Mar  7 12:50:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

- Renamed scripts and moved the scripts to /usr/bin

-------------------------------------------------------------------
Sat Feb 15 07:28:00 UTC 2020 - Carsten Ziepke <kieltux@gmail.com>

- Updated mediawiki-1.31-use-localsettings-from-web-path.patch.
  Fix for "PHP Warning: Use of undefined constant MW_CONFIG_FILE".

-------------------------------------------------------------------
Sat Dec 21 10:13:57 UTC 2019 - ecsos@opensuse.org

- Update to version 1.31.6

This is a security and maintenance release of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.5
  - (T181658) Do not insert page titles into querycache.qc_value.
  - (T206013) Suppress errors when reading invalid XML file properties.
  - (T237931) Remove references to pg_attrdef.adsrc in Postgres code.
  - Use correct value for 'sslmode' in DatabasePostgres.
  - (T232866) Fix support for HTTP/2 in MultiHttpClient.
  - (T227461) Stop calling deprecated Redis delete functions.
  - (T239561) Mark options as requiring parameters in addSite.php.
  - (T239734) Replace deprecated lSize with lLen in Redis code.
  - (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset.
  - (T239428) ApiEditPage: Test for bad redirect targets.
  - (T233342) rdbms: Log debug message traces as 'exception.trace' instead of 'trace'
  - (T226751) media: Log and fail gracefully on invalid EXIF coordinates.
  - (T212067) Work around PHP bug in parse_url.

- Changes from version 1.31.5
  
  This is a maintenance release of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.4
  - Fix extra newlines in installer.
  - Followup T230402, PermissionManager doesn't exist until 1.33, 
    so fix the backported patches to use User::isAllowed() instead.

-------------------------------------------------------------------
Sun Oct 13 12:27:58 UTC 2019 - ecsos@opensuse.org

- Update to version 1.31.4

This is a security and maintenance release of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.3
  - (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3.
  - The ImgAuthModifyHeaders hook was added to img_auth.php to allow 
    modification of headers in private wikis.
  - (T230402) SECURITY: Add permission check for suppressed account
    to Special:Redirect.
  - Add helper for HTTPFileStreamer header syntax.
  - (T118799) Fix XMP parser errors due to trailing nullchar.
  - (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy.
  - (T202183) Give more specific error messages on Special:Redirect.
  - Cache redirects from Special:Redirect.
  - (T231386) dispatchUser() should use a 302 http status code.
  - (T227662) Split down patch-comment-table.sql and patch-actor-table.sql
    into separate files to help allieviate potential migration problems.
  - Make SQLite's patch-add-3d.sql a no-op to prevent clobbering 
    other database updates.

-------------------------------------------------------------------
Wed Jul 31 06:40:16 UTC 2019 - ecsos@opensuse.org

- Update to version 1.31.3

This is a maintenance release of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.2
  - (T225558) Update installer link to PHP intl.
  - (T225496) Detect APC for MainCacheType in CLI installer.
  - (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
  - (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.

- Changes from version 1.31.2

This is a security and maintenance release 
  of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.1
  - (T197279, CVE-2019-12468) Directly POSTing to Special:ChangeEmail 
    would allow for bypassing reauthentication, allowing for 
    potential account takeover.
  - (T204729, CVE-2019-12473) Passing invalid titles to the API 
    could cause a DoS by querying the entire `watchlist` table.
  - (T207603, CVE-2019-12471) Loading user JavaScript from 
    a non-existent account allows anyone to create the account, 
    and XSS the users' loading that script.
  - (T208881) blacklist CSS var().
  - (T199540, CVE-2019-12472) It is possible to bypass the limits 
    on IP range blocks (`$wgBlockCIDRLimit`) by using the API.
  - (T212118, CVE-2019-12474) Privileged API responses that include
     whether a recent change has been patrolled may be cached 
     publicly.
  - (T209794, CVE-2019-12467) A spammer can use Special:ChangeEmail
     to send out spam with no rate limiting or ability to block 
     them.
  - (T25227, CVE-2019-12466) An account can be logged out without
     using a token (CSRF).
  - (T222036, CVE-2019-12469) Exposed suppressed username or log
     in Special:EditTags.
  - (T222038, CVE-2019-12470) Exposed suppressed log in 
    RevisionDelete page.
  - (T221739, CVE-2019-11358) Fix potential XSS in jQuery.
  - Required PHP version has been increased from 7.0.0 to 7.0.13.

-------------------------------------------------------------------
Thu Nov 29 11:37:27 UTC 2018 - jweberhofer@weberhofer.at

- mediawiki-1.31-use-localsettings-from-web-path.patch
  fixes the handling of locations in our directories

- cleaned up spec

- cleaned up admin scripts

-------------------------------------------------------------------
Fri Nov  2 08:59:31 UTC 2018 - ecsos@opensuse.org

- Update to version 1.31.1

This is a security and maintenance release 
  of the MediaWiki 1.31 branch.

Changes since MediaWiki 1.31.0
  - (task T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry 
    for 'user' overrides 'newbie'.
  - (task T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass 
    CentralAuth's account lock.
  - (task T199029, CVE-2018-13258) SECURITY: Tarball was missing
    .htaccess files.
  - (task T197229) Bundle Nuke extension, it was accidentally
    omitted.
  - (task T193995) Fix undefined patchPath() method call in parser
    tests.
  - (task T198687) Fix various selectFields methods to use 
    the string 'NULL', not null.
  - Special:BotPasswords now requires reauthentication.
  - (task T191608, (task T187638) Add 'logid' parameter 
    to Special:Log.
  - (task T193829) Indicate when a Bot Password needs reset.
  - (task T198037) GitInfo: Don't try shelling out if it's disabled.
  - (task T151415) Log email changes.
  - (task T197206) Fix performance regression when multiple DB 
    used without caching.
  - (task T197030) PHPSessionHandler: Suppress headers warnings in 
    initialize().
  - (task T182377, task T196793) Exif: Guard against uncountable
    tag values.
  - (task T200861) Fix total breakage of SQLite web upgrade.
  - (task T200864) Fix pingback over-reporting on non-MySQL 
    databases
  - (task T202550) Unbreak SpecialListusersHeaderForm and 
    SpecialListusersHeader hooks.
    
- rebase makealias.sh for apache >= 2.4 and new .htaccess

-------------------------------------------------------------------
Mon Jun 18 17:21:05 UTC 2018 - ecsos@opensuse.org

- Update to version 1.31.0
  - requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is supported
  See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.31
  (There are too many changes to list here)
  
-------------------------------------------------------------------
Mon May 28 16:11:59 UTC 2018 - jweberhofer@weberhofer.at

- Clean-up spec file
- Do no longer require php-ssl
- Removed sections for suse < 10.x

-------------------------------------------------------------------
Mon Feb 19 15:14:04 UTC 2018 - jweberhofer@weberhofer.at

- Updated dependencies

- Update to version 1.30.0
  See changelog at https://www.mediawiki.org/wiki/MediaWiki_1.30

Configuration changes:
  * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to
    avoid unexpected behavior when code uses locale-sensitive string
    comparisons. For example, the Scribunto extension considers "bar" < "Foo"
    in most locales since it ignores case.
  * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
    documentation of $wgShellLocale for details.
  * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
    deprecated and a no-op, as it is no longer needed.
  * $wgJobClasses may now specify callback functions as an alternative to plain
    class names. This is intended for extensions that want control over the
    instantiation of their jobs, to allow for proper dependency injection.
  * $wgResourceModules may now specify callback functions as an alternative to
    plain class names, using the 'factory' key in the module description array.
    This allows dependency injection to be used for ResourceLoader modules.
  * $wgExceptionHooks has been removed.
  * (T45547) $wgUsePigLatinVariant added (off by default).
  *  $wgRangeContributionsCIDRLimit was introduced to control the size of IP
     ranges that can be queried at Special:Contributions.

New Features:
  * (T163562) Added the ability to search for contributions within an IP range
    at Special:Contributions. References to revisions made by IPs are stored in
    the ip_changes table to make querying for ranges more efficient.
  * (T37247) Output from Parser::parse() will now be wrapped in a <div> with
    class="mw-parser-output" by default. This may be changed or disabled using
    ParserOptions::setWrapOutputClass().
  * Added the 'ChangeTagsAllowedAdd' hook, enabling extensions to allow
    software- specific tags to be added by users.
  * Added the 'ParserOptionsRegister' hook to allow extensions to register
    additional parser options.
  * (T45547) Included Pig Latin, a language game in English, as a
    LanguageConverter variant. This allows English-speaking developers to
    develop and test LanguageConverter more easily. Pig Latin can be enabled by
    setting $wgUsePigLatinVariant to true.
  * Added the 'RecentChangesPurgeRows' hook to allow extensions to purge data
    that depends on the recentchanges table.
  * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.

Action API changes:

* (T37247) action=parse output will be wrapped in a <div> with
    class="mw-parser-output" by default. This may be changed or disabled using
    the new 'wrapoutputclass' parameter.
  *  When errorformat is not 'bc', abort reasons from action=login will be
     formatted as specified by the error formatter parameters.
  *  action=compare can now handle arbitrary text, deleted revisions, and
     returning users and edit comments.
  *  (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
     'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
     parameters to prop=revisions are deprecated, as are the similarly named
     parameters to prop=deletedrevisions, list=allrevisions, and
     list=alldeletedrevisions. Use action=compare, action=parse, or
     action=expandtemplates instead.

And sereral other changes

-------------------------------------------------------------------
Tue Nov 21 17:17:16 UTC 2017 - ecsos@opensuse.org

- Update to version 1.29.2

This is a security and maintenance release 
  of the MediaWiki 1.29 branch.

Changes since 1.29.1
  * (T166757) Avoid scoped lock errors in Category::refreshCounts()
    due to nesting.
  * (T175439) Unbreak Postgres Updater when setting defaults for 
    a column.
  * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
  * Fixed login button label to accept RawMessage.
  * Fixed case of SpecialRecentChanges class usage.
  * (T174255) Declare uploadCount property in importDump.php.
  * (T163646) Pass a string not an int to mysql_real_escape_string().
  * (T180143) Bump justinrainbow/json-schema development dependency 
    to ~5.2.
  * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
  * (T178451) SECURITY: Potential XSS when 
    $wgShowExceptionDetails = false and browser sends non-standard 
    url escaping. (CVE-2017-8808)
  * (T165846) SECURITY: BotPassword login attempts weren't 
    throttled.
  * (T128209) SECURITY: Reflected File Download from api.php.
    (CVE-2017-8809)
  * (T134100) SECURITY: Do not reveal if user exists during login 
    failure. (CVE-2017-8810)
  * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
    (CVE-2017-8811)
  * (T125163) SECURITY: Make anchor for headlines escape > and <.
    (CVE-2017-8812)
  * (T180237) SECURITY: Protect vendor folder with .htaccess.
  * (T180231) SECURITY: Remove PHPUnit file with known RCE if 
    exists in update.php.
  * (T124404) SECURITY: XSS in langconverter when regex hits 
    pcre.backtrack_limit. (CVE-2017-8814)
  * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
    (CVE-2017-8815)
  * (T180488) (T125177) "api.log contains passwords in plaintext" 
    wasn't correctly fixed in all branches in the previous security 
    release. (CVE-2017-0361)

-------------------------------------------------------------------
Thu Oct 12 04:47:13 UTC 2017 - jweberhofer@weberhofer.at

- Require php-openssl instead of php-mcrypt

- Update to version 1.29.1. Changelog: https://www.mediawiki.org/wiki/MediaWiki_1.29
  
  Configuration changes
  * Default cookie expiration time has been reduced to 30 days. Login cookie
    expiration time is kept at 180 days.  $wgUserEmailUseReplyTo is now true by
    default to work around restrictive DMARC policies.
  * Subpages are now enabled by default in the Template namespace.

New features
  * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous
    edits from certain IP ranges (e.g. private IPs).  Added new magic word
    {{PAGELANGUAGE}} which returns the language code of the page being parsed. (bug
    T59603)
  * Users can now be assigned to user groups for a limited period of time. See
    the help page for more information.

Action API changes
  * Submitting sensitive authentication request parameters to
    action=clientlogin, action=createaccount, action=linkaccount, and
    action=changeauthenticationdata in the query string is now an error. They
    should be submitted in the POST body instead.
  * The capture option for action=resetpassword has been removed
    action=clearhasmsg now requires a POST.
  * (task T47843) API errors and warnings may be requested in non-English
    languages using the new errorformat, errorlang, and errorsuselocal
    parameters.
  * API error codes may have changed. Most notably, errors from modules using
    parameter prefixes (e.g. all query submodules) will no longer be prefixed.
  * action=emailuser may return a "Warnings" status, and now returns 'warnings'
    and 'errors' subelements (as applicable) instead of 'message'.
  * action=imagerotate returns an 'errors' subelement rather than errormessage.
  * action=move now reports errors when moving the talk page as an array under
    key talkmove-errors, rather than using talkmove-error-code and
    talkmove-error-info. The format for subpage move errors has also changed.
  * action=revisiondelete no longer includes a "rendered" property on warnings
    and errors for each item. Use errorformat=wikitext if you're wanting parsed
    output.
  * action=rollback no longer returns a messageHtml property. Use
    errorformat=html if you're wanting HTML formatting of error messages.
  * action=upload now reports optional stash failures as an array under key
    'stasherrors' rather than a 'stashfailed' text string.
  * action=watch reports 'errors' and 'warnings' instead of a single 'error',
    and no longer returns a 'message' on success.
  * Added action=validatepassword to validate passwords for the account
    creation and password change forms.

Action API internal changes
  * New methods were added to ApiBase to handle errors and warnings using i18n
    keys. Methods for using hard-coded English messages were deprecated:
  * ApiBase::dieUsage() was deprecated
    - ApiBase::dieUsageMsg() was deprecated
    - ApiBase::dieUsageMsgOrDebug() was deprecated
    - ApiBase::getErrorFromStatus() was deprecated
    - ApiBase::parseMsg() was deprecated
    - ApiBase::setWarning() was deprecated
  * ApiBase::$messageMap is no longer public. Code attempting to access it will
  * result in a PHP fatal error.
  * The $message parameter to the ApiCheckCanExecute hook should be set to an
    ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
    code for ApiBase::parseMsg() will no longer work.
  * UsageException is deprecated in favor of ApiUsageException. For the time
    being ApiUsageException is a subclass of UsageException to allow things
    that catch only UsageException to still function properly.
    If, for some strange reason, code was using an ApiErrorFormatter instead of
    ApiErrorFormatter_BackCompat, note that the result format has changed and
    various methods now take a module path rather than a module name.
   * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-'
     prefixes from the message key, and maps some message keys for backwards
     compatibility.

Languages updated
  * Based as always on linguistic studies on intelligibility and language
    knowledge by geography, language fallbacks have been expanded.
  * No fallback for Ukrainian
  * (task T39314) The fallback from Ukrainian to Russian was removed. The
    Ukrainian language will now use the default fallback language: English.
    When a translation to Ukrainian is not available, an English string will
    be shown.

Other changes
  * wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" URLs to continue to work, set up redirects.

-------------------------------------------------------------------
Mon May 15 11:12:09 UTC 2017 - ecsos@opensuse.org

- update to 1.28.2
  
  This is a security release of the MediaWiki 1.28 branch.
  
  Due to a mistake in packaging, the releases 1.27.2 and 1.28.1 did 
  not contain the fix for SyntaxHighlight_GeSHi. 
  This new release does contain that fix.

- update to 1.28.1

This is a security and maintenance release of the MediaWiki 1.28 branch.

=== Changes since 1.28.0 ===

* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
  more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
  circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

-------------------------------------------------------------------
Mon Jan  9 18:25:53 UTC 2017 - ecsos@opensuse.org

- update to 1.28.0

=== Breaking changes ===
* Magic links are now disabled by default. They can be enabled by 
  changing the value of $wgEnableMagicLinks. It has been proposed 
  to remove magic link functionality from MediaWiki in a future 
  release, if you depend upon or use them it is requested that you
  comment at Requests for comment/Future of magic links.
    
=== Changes since 1.28.0rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
  comment to a machine-readable JavaScript config option 'wgPageParseReport'
  have been undone. They caused the human-readable limit report to be shown
  incompletely or not at all. ParserOutput::setLimitReportData() and
  getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
  the text of subheadings on a category page when creating it. This wasn't
  working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
  canonical pretty URL when a non-pretty URL is used. It resulted in redirect
  loops in some clients and in some server configurations. This undoes a change
  made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.

=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
  access to session data, which includes the session user and the session
  user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
  is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
  local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  signifies local uploads. A value of `[]` (empty array) now means that
  no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
  for Esperanto language character conversion. You are now recommended to use
  input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
  https://www.mediawiki.org/beacon with basic information about the local
  MediaWiki installation. This data includes, for example, the type of system,
  PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
  to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
  instead of just administrators ('sysop'). Documentation for this feature is
  available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
  of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
  a tracking category will be added to help identify usage and make it easier to migrate
  away from. If you depend upon magic link functionality, it is requested that you comment
  on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
  explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
  in upcoming Content-Security-Policy feature's reporting.

=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
  maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  a 'numeric' collation is also available. If migrating from another
  collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
  month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  appropriate for sending multi-valued parameters. This defaults to true when
  the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
  MediaWiki will wait for the replica databases to synchronize with the master database
  while it renders the HTML output. However, if the output is a redirect to another wiki
  on the wiki farm with a different domain, MediaWiki will instead alter the redirect
  URL to include a ?cpPosTime parameter that triggers the database synchronization when
  the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules.

=== External library changes in 1.28 ===

==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1

=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
  Session::getAllowedUserRights()

=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
  (deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now deprecated and outputs a warning. They should be
  submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  instead of the pipe character. This will be useful if some of the multiple
  values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
  contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
  ApiPageSet may contain entries where the 'from' value is percent-encoded as
  the raw value cannot be represented in a valid API response. These are
  indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
  module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
  named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
  the 'TitleIsAlwaysKnown' hook) are output in various modules.

=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules. A query module can enable
  these hooks by passing an array for $hookData to ApiQueryBase::select() and
  by calling ApiQueryBase->processRow() before adding a row's data to the
  result.

=== Languages updated in 1.28 ===

MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
  BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
  Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
  use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
  login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
  MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
  were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
  respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
  * Skin::commentBlock() (use Linker::commentBlock() instead)
  * Skin::generateRollback() (use Linker::generateRollback() instead)
  * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::userLink() (use Linker::userLink() instead)
  * Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
  disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
  Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
  favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
  on requests needed by primary providers even if all primaries need them.
  Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
  will no longer be automatically infused. You should call `OO.ui.infuse()`
  on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
  phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
  Instead of --keep-uploads, use the same option to parserTests.php, but you
  must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
  migrate to using the same functions on a ProxyLookup instance, obtainable from
  MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
  ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
  ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
  in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
  instead.

-------------------------------------------------------------------
Fri Sep  2 18:38:48 UTC 2016 - ecsos@opensuse.org

- update to 1.27.1
  * (T139565) API: Generate head items in the context of the given
    title (CVE-2016-6335)
  * (T137264) XSS in unclosed internal links (CVE-2016-6334)
  * (T133147) Escape '<' and ']]>' in inline <style> blocks 
    (CVE-2016-6333)
  * (T133147) Require login to preview user CSS pages 
    (CVE-2016-6333)
  * (T132926) Do not allow undeleting a revision deleted file if it
    is the top file (CVE-2016-6336)
  * (T129738) Make $wgBlockDisablesLogin also restrict logged in 
    permissions (CVE-2016-6332)
  * (T129738) Make blocks log users out if $wgBlockDisablesLogin is
    true (CVE-2016-6332)
  * (T115333) Check read permission when loading page content in 
    ApiParse (CVE-2016-6331)
  * (T57548) Remove support for $wgWellFormedXml = false, all 
    output is now well formed
  * (T139670) Move 'UserGetRights' call before application of 
    Session::getAllowedUserRights() (CVE-2016-6337)
  The following fix is for the PdfHandler extension:
  * (T136402) Add -dSAFER to ghostscript as hardening measure

-------------------------------------------------------------------
Thu Jul 28 10:47:38 UTC 2016 - jweberhofer@weberhofer.at

- Conflict with php5 < 5.5.9

-------------------------------------------------------------------
Mon Jul 25 09:41:47 UTC 2016 - jslaby@suse.com

- add php-mbstring to requires (does not start w/o that)
- add php-mcrypt to requires (uses slow & unsecure fall-back
  if not installed)

-------------------------------------------------------------------
Thu Jul  7 05:56:37 UTC 2016 - jweberhofer@weberhofer.at

- Improved dependencies

-------------------------------------------------------------------
Tue Jul  5 03:36:04 UTC 2016 - jweberhofer@weberhofer.at

- Update to version 1.27.0

- Breaking changes:
  * MediaWiki now requires at least PHP 5.5.9. This corresponds with HHVM 3.1.
  * Note that this new branch brought breaking changes to a number of extensions, 
    many of which have not been updated yet.
  * If the openssl and mcrypt PHP extensions are both unavailable, secure
    session storage (used for login) will raise an exception. This exception
    may be bypassed by setting $wgSessionInsecureSecrets = true;. Note that
    this bypass is not recommended. It is insecure. You should not use it.
  * The RandomRootPage extension has been merged into MediaWiki core. If you
    have it installed, you should uninstall it.
  * The ApiSandbox extension has been merged into MediaWiki core. If you have
    it installed, you should uninstall it.
  * AuthManager. If you're writing a new extension, you should definitely follow
    Manual:SessionManager and AuthManager and then upgrade to 1.27 to use it. If
    you are making sure an existing extension is compatible with 1.27, see the
    updating tips.

- New feature: 
  * InstantCommons will now truly work out of the box, as long as
    your users can connect to upload.wikimedia.org

- For a complete list of changes see: 
  https://www.mediawiki.org/wiki/Release_notes/1.27#MediaWiki_1.27.0

-------------------------------------------------------------------
Fri May 20 20:03:23 UTC 2016 - jweberhofer@weberhofer.at

- Update to version 1.26.3
  * T122056: Old tokens are remaining valid within a new session
  * T127114: Login throttle can be tricked using non-canonicalized usernames
  * T123653: Cross-domain policy regexp is too narrow
  * T123071: Incorrectly identifying http link in a's href attributes, due to
    m modifier in regex
  * T129506: MediaWiki:Gadget-popups.js isn't renderable
  * T125283: Users occasionally logged in as different users after
    SessionManager deployment
  * T103239: Patrol allows click catching and patrolling of any page
  * T122807: [tracking] Check php crypto primatives
  * T98313: Graphs can leak tokens, leading to CSRF
  * T130947: Diff generation should use PoolCounter
  * T133507: Careless use of $wgExternalLinkTarget is insecure
  * T132874: API action=move is not rate limited
  * T110143: strip markers can be used to get around html attribute escaping
    in (many?) parser tags (This fix affects both core and SyntaxHighlight_GeSHi)
  * T116030: Increase pbkdf2 parameter strengths
  * T127420: Pbkdf2Password does not check if hash_pbkdf2() succeeded
  * T126685: Globally throttle password attempts

-------------------------------------------------------------------
Sun Jan  3 01:23:11 UTC 2016 - ecsos@opensuse.org

- Update to version 1.26.2
  * (T121892) Fix fatal error on some Special pages.

-------------------------------------------------------------------
Fri Dec 18 02:49:24 UTC 2015 - jweberhofer@weberhofer.at

- Update to version 1.26.1

* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that
  do not begin with a slash. This enabled trivial XSS attacks. Configuration
  values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
  value such as "$1" or "wiki/$1" is not and will now throw an error

* (T119309) SECURITY: Use hash_compare() for edit token comparison

* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
  with '@' as file uploads

* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength

* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued

* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki

-------------------------------------------------------------------
Sat Nov 28 17:00:46 UTC 2015 - jweberhofer@weberhofer.at

- Added a conflicts section to force installation of mediawiki-math with curren
  versioning scheme.

- Update to version 1.26.0

=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
  instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
  in non-talk namespaces. A new configuration variable,
  $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
  the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
  feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
  This experimental feature was never enabled by default and is obsolete as of
  MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
  in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
  the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
  blocked users to edit their talk pages unless explicitly disabled
  when they are being blocked.

=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
  See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
  to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
  "tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
  are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
  search results are rendered. The initial use case is to append a "give us
  feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
  reject an otherwise-successful parser cache lookup. The intent is to allow
  extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
  ($wgExtendedLoginCookieExpiration) can be configured independently of the
  expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
  if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
  of WebP images still disabled by default. Add $wgFileExtensions[] =
  'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
  'EnhancedChangesListModifyBlockLineData', to modify the data used to build
  lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
  This corresponds to a new $wgMainWANCache setting, which defaults to using
  the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
  the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
  memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
  by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
  for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
  startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
  page. During the deprecation period, the styles will only be loaded on pages
  which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
  only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
  suggestion, results for suggestion will be shown. Can be disabled by setting
  $wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
  from the client-side. See documentation for mw.Upload and its
  subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
  documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
  subclasses for more information.

== extension.json changes in 1.26 ==
* (T99344) The extension.json schema is now versioned. All extensions
  and skins should set a "manifest_version" property corresponding to
  the schema version they were written for. The only supported version
  currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
  which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
  can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
  depend upon.
* (T105236) The extension.json schema now validates custom classes in
  the "ResourceModules" property properly.

=== External library changes in 1.26 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.

==== New external libraries ====
* Added composer/semver v1.0.0.
* Added mediawiki/at-ease v1.1.0.
* Added wikimedia/assert v0.2.2.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.

==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.

=== Bug fixes in 1.26 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T65198) Talk page tabs now have a "rel=discussion" attribute
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
  value if set to an empty string.

=== Action API changes in 1.26 ===
* New-style continuation is now the default for action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* API action=query&list=tags: The displayname can now be boolean false if the
  tag is meant to be hidden from user interfaces.
* action=import no longer allows both the namespace= and rootpage= parameters
  to be set. If they are both set, the value of rootpage= will be ignored.
* prop=revision output in enum mode is now sorted by timestamp rather than
  revision ID. This usually won't make any difference.
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
  with formatversion=2.
* Various other output from meta=siteinfo will now always be arrays instead of
  sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
  information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
  rnfilterredir parameter that also allows for listing both redirects and
  non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
  and will honor corresponding If-None-Match and If-Modified-Since on such
  requests.

=== Action API internal changes in 1.26 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
  into the value when the value is an assoc.
* API action modules may now provide values for the RFC 7232 ETag and
  Last-Modified headers. The API will check these against If-None-Match and
  If-Modified-Since request headers on GET requests and avoid executing the
  module when appropriate.

=== Languages updated in 1.26 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Languages added:
** ase (American sign language), thanks to translator Icemandeaf
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
   मेश सिंह बोहरा, and राम प्रसाद जोशी
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
   Ilja.mos, and Mashoi7

=== Other changes in 1.26 ===
* ChangeTags::tagDescription() will return false if the interface message
  for the tag is disabled.
* Added PageHistoryPager::doBatchLookups hook.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
  ContentHandler, to provide a way for ApiEditPage and EditPage to check
  if direct editing of content is allowed. These methods return false,
  by default for the ContentHandler base class and true for TextContentHandler
  and it's derivative classes (everything in core). For Content types that
  do not support direct editing, an alternative mechanism should be provided
  for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
  one function. The callback can't be called directly any more. The callback
  function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
  ResourceLoaderModule::getDependencies(). Extension classes that override that
  method should be updated. If they aren't updated, PHP Strict standards
  warnings will appear when E_STRICT error reporting is enabled. Note: in the
  near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
  ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
  items that were stripped during parsing. It will use a fixed string instead.
  This causes the parser to re-use the regular expressions it uses to search
  and replace markers rather than generate novel expressions on each parse.
  Re-using regular expressions will improve performance on HHVM and the
  forthcoming PHP 7. The interfaces changes accompanying this change are:
  - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
  - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
    $prefix argument for StripState::_construct() are deprecated and their
    value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
  mediawiki/at-ease, and are now deprecated. Callers should use
  MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
  instead of many optional positional arguments. Calling the constructor the old
  way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
  a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
  are deprecated. Applications using those can work via the OAuth
  extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.

-------------------------------------------------------------------
Mon Oct 19 13:23:46 UTC 2015 - jweberhofer@weberhofer.at

Updated to security and maintenance release 1.15.3

* Wikipedia user RobinHood70 reported two issues in the chunked upload API. The
  API failed to correctly stop adding new chunks to the upload when the
  reported size was exceeded (T91203), allowing a malicious users to upload add
  an infinite number of chunks for a single file upload. Additionally, a
  malicious user could upload chunks of 1 byte for very large files,
  potentially creating a very large number of files on the server's filesystem
  (T91205).

* Internal review discovered that it is not possible to throttle file
  uploads. (T91850)

* Internal review discovered a missing authorization check when removing
  suppression from a revision. This allowed users with the 'viewsuppressed'
  user right but not the appropriate 'suppressrevision' user right to
  unsuppress revisions. (T95589)

* Richard Stanway from teamliquid.net reported that thumbnails of PNG files
  generated with ImageMagick contained the local file path in the image
  metadata. (T108616)

* Fix having multiple callbacks for a single hook.(T98975)

* maintenance/refreshLinks.php did not always remove all links pointing to
  nonexistent pages. (T107632)

* $wgEmergencyContact and $wgPasswordSender now use their default value if set
  to an empty string. (T104142)

* Provide fallbacks for use of mb_convert_encoding() in HtmlFormatter. It was
  causing an error when accessing the api help page if the mbstring PHP
  extension was not installed.(T62174)

* Confirmation emails would sometimes contain invalid codes. (T105896)

* Fixed edit stash inclusion queries.(T105597)

-------------------------------------------------------------------
Sun Sep  6 05:37:47 UTC 2015 - jweberhofer@weberhofer.at

- updated to security and maintenance release 1.15.2

* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
  Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
  false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
  $wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
  a "manifest_version" property for 1.26 compatability will no longer
  trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
  page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
  named variable. Add an additional check that an index is defined.

-------------------------------------------------------------------
Tue May 26 09:43:35 UTC 2015 - jweberhofer@weberhofer.at

- update to release 1.25.1

MediaWiki 1.25 includes all changes released in the smaller 1.25wmf*
software deployments to Wikimedia sites over six months, totaling
approximately 2200 changes.

* Indicators – Templates that add icons to the top right corner of the page
(and more) can be updated to use the new page status indicators feature.

* Enhanced recent changes – MediaWiki now uses by default the extended
watchlist and so called enhanced recent changes (preference "Group changes
by page in recent changes and watchlist"), which also received several
improvements in MediaWiki 1.24 and 1.25 (task 37785). This means that
Special:RecentChanges and Special:Watchlist show all the changes to each
page in a given day, sorted by page rather than chronologically. Changes to
each page are collapsed by default and a compact overview is shown, with
links to collated diffs and counts of each user's actions. Full activity
for an individual page can then be shown with a single click. Users will no
longer need to know in detail how a single change was chosen for display in
order to figure out what else may have happened to the page that day, nor
to scan a long list of non-contiguous lines on the screen in order to get a
complete picture. The change is part of MediaWiki's evolution towards an
interface which is more discoverable and less cluttered by default, while
equally easy to quickly access in full, with the help of JavaScript.
However, the (grouped) layout is an improvement for non-JavaScript users as
well.

* Live preview – While editing, you're not sure what a wikitext syntax will
produce? That's no longer a problem, now that live preview is no longer
experimental. By enabling the feature in your preferences, MediaWiki will
display the effect of your edits without fully reloading the page, so that
you can quickly correct any mistake.

* Import – The import tool is now much easier to use on content from a wiki
which has different namespaces than yours (e.g. because it's in another
language).

* Internationalization – In logging and gender support, continuing the work
in MediaWiki 1.18 and 1.19, multiple log types of Special:Log have been
migrated to the new logging system, which allows full internationalization
including word order and grammatical gender. The migration continues. See
task T26620 for a list.

Locales – The following locales have been added: अवधी, بلوچی رخشانی and
Koyraboro Senni.

* API documentation is localized and easier to access through
Special:ApiHelp.

== What's new for system administrators? ==
* PHP 5.3.3 is now required (from 5.3.2)
* Extensions and skins are now loaded through a new registration system
* Profiling was completely overhauled to use the xhprof module.

Full release notes:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_25/RELEASE-NOTES-1.25
https://www.mediawiki.org/wiki/Release_notes/1.25

-------------------------------------------------------------------
Wed Apr  1 20:00:22 UTC 2015 - jweberhofer@weberhofer.at

- update to security release 1.24.2

- iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
  embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
  JavaScript in the SVG. The issue was additionally identified by Mario 
  Heiderich / Cure53. MIME types are now whitelisted.
  <https://phabricator.wikimedia.org/T85850>

- MediaWiki user Bawolff pointed out that the SVG filter to prevent
  injecting JavaScript using animate elements was incorrect.
  <https://phabricator.wikimedia.org/T86711>

- MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
  attributes were expanded in MediaWiki's Html class, in combination with
  LanguageConverter substitutions. <https://phabricator.wikimedia.org/T73394>

- Internal review discovered that MediaWiki's SVG filtering could be
  bypassed with entity encoding under the Zend interpreter. This could be
  used to inject JavaScript. This issue was also discovered by Mario Gomes
  from Beyond Security. <https://phabricator.wikimedia.org/T88310>

- iSEC Partners discovered a XSS vulnerability in the way api errors were
  reflected when running under HHVM versions before 3.6.1 (iSEC-WMF1214-8).
  MediaWiki now detects and mitigates this issue on older versions of HHVM.
  <https://phabricator.wikimedia.org/T85851>

- Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
  MediaWiki versions using PBKDF2 for password hashing (the default since
  1.24) are vulnerable to DoS attacks using extremely long passwords.
  <https://phabricator.wikimedia.org/T64685>

- iSEC Partners discovered that MediaWiki's SVG and XMP parsing, running
  under HHVM, was susceptible to "Billion Laughs" DoS attacks
  (iSEC-WMF1214-13). <https://phabricator.wikimedia.org/T85848>

- Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
  DoS attacks, under both HHVM and Zend PHP.
  <https://phabricator.wikimedia.org/T71210>

- iSEC Partners discovered a way to bypass the style filtering for SVG
  files (iSEC-WMF1214-3). This could violate the anonymity of users viewing
  the SVG. <https://phabricator.wikimedia.org/T85349>

- iSEC Partners reported that the MediaWiki feature allowing a user to
  preview another user's custom JavaScript could be abused for privilege
  escalation (iSEC-WMF1214-10). This feature has been removed.
  <https://phabricator.wikimedia.org/T85855>

Additionally, the following extensions have been updated to fix security
issues:

- Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
  names were not sanitized in Lua error backtraces, which could lead to XSS.
  <https://phabricator.wikimedia.org/T85113>

- Extension:CheckUser - iSEC Partners discovered that the CheckUser
  extension did not prevent CSRF attacks on the form allowing checkusers to
  look up sensitive information about other users (iSEC-WMF1214-6). Since the
  use of CheckUser is logged, the CSRF could be abused to defame a trusted
  user or flood the logs with noise. <https://phabricator.wikimedia.org/T85858>

Additiona bug fixes:

- Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to
  fix loading these special pages when $wgAutoloadAttemptLowercase is false.

- (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema
  change and running update.php to fix.

- (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

-------------------------------------------------------------------
Sat Jan 17 11:11:17 UTC 2015 - ecsos@opensuse.org

- Upgraded to security release 1.24.1
  * Fix case of SpecialAllPages/SpecialAllMessages in
    SpecialPageFactory to fix loading these special pages when
    $wgAutoloadAttemptLowercase is false.
  * (bug T70087) Fix Special:ActiveUsers page for installations
    using PostgreSQL.

-------------------------------------------------------------------
Wed Jan 14 08:40:59 UTC 2015 - jweberhofer@weberhofer.at

- Modified update-script to include vector-skin in LocalSettings.php by
  default or to move vector-skins location when updating from older
  mediawiki versions.

- Release 1.24.0

Full release notes at: https://www.mediawiki.org/wiki/Release_notes/1.24

Preferences made easier: MediaWiki is known to be extremely flexible and
customisable, but few users use its full potential. In 1.24, we aim to make
dozens obscure preferences easily discoverable and obvious to use.

New features:
* Category pages can now be moved (mw#5451).
* MergeHistory for all administrators by default (mw#66155).
* Improvements have been made to the password storage system, allowing improved
  security against offline attacks should a wiki's database be compromised by
  attackers. Then, the default password storage algorithm was changed to
  PBKDF2. PBKDF2 and Bcrypt have built-in support in PHP. The new extensible
  password API makes it trivial to implement scrypt support if we wanted to.

Usability:
* The move feature and other actions are now discoverable in Vector, thanks to
  a label for the dropdown where they're hidden by default (bug 44591).
* Specify default language on a per-page basis
* Redirect to Special:UserLogin when logging is in required to proceed, instead
  of showing an error message

In 2014, MediaWiki development has a new focus on frontend performance:
* Improved Vector skin performance by removing collapsibleNav, which used to
  collapse some sidebar elements by default. This removes -list id suffixes
  like p-lang-list: instead of using things like #p-lang-list, you can do
  #p-lang .body ul. If you would like CollapsibleNav back please use the
  CollapsibleVector extension. (mw#39035)

Upgrade notices for MediaWiki administrators:

Breaking changes:
* Upgrade jQuery to version 1.11.x:
  [[mailarchive:wikitech-l/2014-June/076842.html]]
* Support for register_globals (deprecated 5 years ago) was dropped, MediaWiki
  will no longer run with it enabled.
* {{!}} is now a magic word that results in |, mainly for use in templates and
  other complex templates. If your wiki has another template at Template:!, you
  will need to change the name and update any usage of it. If your Template:!
  is just |, it can be safely deleted.

API changes:
Starting with MediaWiki 1.24, we're cleaning up the API, and working towards an
API 2.0. See the roadmap for more details.
* Rarely used formats deprecated: dbg, dump, txt, wddx, yaml. These may be
  removed in a future release.
* Token handling overhauled: the action=tokens module is now deprecated and
  replaced by action=query&meta=tokens. Most actions now just take a generic
  "csrf" token, and the token type is now properly documented in the
  auto-generated documentation.
* And more! See the RELEASE-NOTES-1.24 file for a full list.

Directory changes:
The legacy '''skins/common/''' directory has been emptied and deleted as part
of the skin system cleanup. Files that have been present in it have been moved
elsewhere or deleted (if they were unused). If you loaded any of these files as
part of your custom skin or on-wiki CSS/JS, you should make a copy of the old
files in a non-MediaWiki directory. See the RELEASE-NOTES-1.24 file for the
full list of moved/deleted files.

Browser support deprecated or removed:
Full support for Internet Explorer 6 and Internet Explorer 7  has been removed:
it will browse MediaWiki without JavaScript. JavaScript fixes specific to it
have also been removed. Additional IE6  and IE7 fixes that exist in
MediaWiki:Common.js and similar can be safely removed.

Skins no longer loaded after upgrade?
MediaWiki 1.24 no longer uses the skin autodiscovery mechanism to load default
skins, instead requiring that the skins be manually loaded in
LocalSettings.php, much like extensions
(see [[Manual:Skin configuration#Installing skins]]).

This will require you to update LocalSettings.php after the upgrade - a
prominently displayed warning message should guide you through the process,
suggesting the exact configuration that you need to add. If you're upgrading
via a tarball release, that is all you need to do. If you're upgrading via git
or otherwise from source, note that the skins themselves have been each moved
to a separate repository and will need to be installed separately (much like
extensions, some basic ones are included in the tarball).

Composer:
If you are using extensions managed by composer, make sure to backup your
existing composer.json file as it will be overwritten on upgrade.

-------------------------------------------------------------------
Thu Oct 30 15:23:19 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to bugfix release 1.23.6

* Allow classes to be registered properly from installer (MW#67440)
* Job queue not running (HTTP 411) due to missing Content-Length: header
  (MW#72274)

-------------------------------------------------------------------
Fri Oct  3 09:10:23 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to security release 1.23.5

* SECURITY: OutputPage: Remove separation of css and js module allowance.
  (MW#70672)

-------------------------------------------------------------------
Thu Sep 25 11:57:47 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to security and maintenance release 1.23.4

* SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements;
  normalize style elements and attributes before filtering; add checks for
  attributes that contain css; add unit tests for html5sec and reported bugs.
  (MW#69008)
* Make MySQLi work with non-standard socket. (MW#65998)
* GlobalVarConfig shouldn't throw exceptions for null-valued config settings.
  (MW#66986)

-------------------------------------------------------------------
Mon Sep  1 08:19:06 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.23.3

* Correctly handle incorrect namespace in cleanupTitles.php. (MW#68501)
* Fix support for blobs on DatabaseOracle::update. (MW#64970)
* Display MediaWiki:Loginprompt on the login page. (MW#66574)
* wfShellExec() cuts off stdout at multiples of 8192 bytes. (MW#67870)
* Handle invalid language code gracefully in Language::fetchLanguageNames.
  (MW#60629)
* Restore the number of rows shown on Special:Watchlist. (MW#62017)
* Check for boolean false result from database query in SqlBagOStuff.

-------------------------------------------------------------------
Thu Jul 31 11:43:21 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.23.2

* SECURITY: Prepend jsonp callback with comment. (MW#68187)
* SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
  for loading a new page in Javascript,instead of relying on the URL in the
  link that has been clicked. (MW#66608)
* SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
  (MW#65778)
* Preferences: Turn stubthreshold back into a combo box. (MW#68313)
* Fix initSiteStats.php maintenance script. (MW#65214)
* Special:ActiveUsers: Fix to work with PostgreSQL. (MW#67594)
* Inclusion of SpamBlacklist extension

-------------------------------------------------------------------
Thu Jun 26 07:26:06 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.23.1

* SECURITY: Prevent external resources in SVG files. (MW#65839)
  * Special:Watchlist: Don't try to render empty row. (MW#67025)
  * Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
    (MW#66922)
  * Filebackend: Avoid using popen() when "parallelize" is disabled.
    (MW#66467)
  * MimeMagic: Don't seek before BOF. This has weird side effects like only
    extracting the tail of the file partially or not at all. (MW#66428)
  * Removed -x flag on some php files. (MW#66182)

-------------------------------------------------------------------
Thu Jun  5 09:06:20 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.23.0

* MediaWiki 1.23 includes all changes released in the smaller 1.23wmfX
    software deployments to Wikimedia sites.

* Skin autodiscovery deprecated: Skin autodiscovery, the legacy skin
    installation mechanism used by MediaWiki since very early versions (around
    2004), has been officially deprecated and will be removed in 
    MediaWiki 1.25.

- MediaWiki 1.23 will emit warnings in production if a skin using the
      deprecated mechanism is found.
    - See Manual:Skin autodiscovery for more information and a migration guide
      for site admins and skin developers.

* Notifications: With 1.23, MediaWiki starts to behave more like a modern
     website as regards notifications, to keep the editors of your wiki engaged
     and always up to date about what interests them. This used to require
     several custom settings.

- (MW#45020) Make preferences "Add pages I create and files I upload to my
       watchlist" and "pages and files I edit" true by default.
     - (MW#45022) Make preference "Email me when a page or file on my watchlist
       is changed" true by default.
     - (MW#49719) Watch user page and user talk page by default. This will
       allow your new users to immediately start benefiting from the watchlist
       and email notification features, without needing to first read all the
       docs to find out that they're as useful as they are.

* Merged extensions ===
      - ExpandTemplates (bug 28264).
      - AssertEdit (bug 27841) - documented at API:Assert.

* Interface ===

- (MW#42026) Add option to only show page creations in
        Special:Contributions (and API).
      - Add new special page to list duplicate files,
        Special:ListDuplicatedFiles.
      - (MW#60333) Add new special page listing tracking categories
        (Special:TrackingCategories).

* Editing ===

- A new special page Special:Diff was added, allowing users to create
        internal links to revision comparison pages using syntax such as
        Special:Diff/12345, Special:Diff/12345/prev or Special:Diff/12345/98765.

* Help pages ===

With 1.23, MediaWiki begins a process of consolidation of its help
      pages. Now, most are using the Translate extension and can be easily
      translated and updated in hundreds languages.

In the coming months, we'll focus on making more of the central help
      pages translatable and on linking them from the relevant MediaWiki
      interfaces for better discoverability. Please help: add your own
      translations; update existing pages and cover missing MediaWiki topics.

Traditionally, help pages have been scattered on countless wikis and
      poorly translated; most of those on mediawiki.org were migrated with the
      help of some Google Code-in students.

* CSS refresh for Vector ===

- Various Vector CSS properties have been converted to LESS variables.
      - The font size of <code>#bodyContent</code>/<code>.mw-body-content
        </code> has been increased to 0.875em.
      - The line-height of <code>#bodyContent</code>/<code>.mw-body-content
        </code> has been increased to 1.6.
      - The line-height of superscript (sup) and subscript (sub) are 
        now set to 1.
      - The default color for content text (but not the headers) is now
        #252525; (dark grey).
      - All headers have updated sizes and margins.
      - H1 and H2 headers now use a serif font.
      - Body font is "sans-serif" as always.

For more information see Typography refresh.

* Configuration ===
      Add Config and GlobalConfig classes:
      - Allows configuration options to be fetched from context.
      - Only one implementation, GlobalConfig, is provided, which simply
        returns $GLOBALS[$name]. There can be more classes in the future,
	possibly a database-based one. For convinience the "wg" prefix is
        automatically added.

- This adds the $wgConfigClass global variable which is used to determine
        which implementation of Config to use by default.
      - The ContextSource getConfig and setConfig methods were introduced.

Full release notes:
    https://git.wikimedia.org/blob/mediawiki%2Fcore.git/1.23.0/RELEASE-NOTES-1.23
    https://www.mediawiki.org/wiki/Release_notes/1.23

-------------------------------------------------------------------
Sat May 31 09:21:57 UTC 2014 - ecsos@schirra.net

- Upgraded to release 1.22.7 - security and maintenance release

* SECURITY: Don't parse usernames as wikitext on Special:PasswordReset. 
    (MW#65501)
  * Add space between two feed links. (MW#36356)
  * Email notifications were not correctly handling the
    [[MediaWiki:Helppage]] message being set to a full URL. This is a 
    regression from the 1.22.5 point release, which made the default value 
    for it a URL. If you customized [[MediaWiki:Enotif body]] (the text of 
    email notifications), you'll need to edit it locally to include the URL
    via the new variable $HELPPAGE instead of the parser functions fullurl 
    and canonicalurl; otherwise you don't have to do anything. (MW#63269)
  * Add missing uploadstash.us_props for PostgreSQL.
  * Fixed stream wrapper in PhpHttpRequest. (MW#56047)

-------------------------------------------------------------------
Wed Apr 30 10:22:35 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.6 - security release

* SECURITY: escape sortKey in pageInfo. (MW#63251)

-------------------------------------------------------------------
Fri Mar 28 13:48:52 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.5 - security and maintenance release

* SECURITY: Add CSRF token on Special:ChangePassword. (MW#62497)
  * Set a title for the context during import on the cli. (MW#62467)
  * Fix custom local MediaWiki:Help values.
  * mediawiki.js: Fix documentation breakage.
  * Make MySQLi work with non standard port. (MW#58153)
  * Reintroduced a link to help pages in the default sidebar, that any sysop
    can customize by editing [[MediaWiki:Sidebar]] locally. The link now points
    to a mediawiki.org page which is guaranteed to exist. Nothing needs to be
    done on your end, but remember to adjust [[MediaWiki:Sidebar]] for the
    needs of your wikis. Everyone can help with the shared documentation by
    translating:
    https://www.mediawiki.org/wiki/Special:Translate/agg-Help_pages (MW#53887)

* Corrected a regression in 1.22 which introduced red links on the login
    page. If you previously installed 1.22.x and have created a local page to
    make the red link blue, write its title as in [[MediaWiki:helplogin-url]]
    if you didn't already. Otherwise, you don't need to do anything, but you
    can translate the help page at
    https://www.mediawiki.org/wiki/Help:Logging_in . (MW#53888)

-------------------------------------------------------------------
Fri Mar 14 05:08:11 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.4 - security update

* The correct branch of each extensions git repository (e.g. REL1_19 for
    1.19.13) was used.

-------------------------------------------------------------------
Thu Mar  6 14:21:58 UTC 2014 - jweberhofer@weberhofer.at

- Fixed a bug in the makealias script

-------------------------------------------------------------------
Fri Feb 28 14:25:07 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.3 - security update

* SECURITY: Disallow uploading SVG files using non-whitelisted namespaces.
    Also disallow iframe elements. User will get an error including the
    namespace name if they use a non- whitelisted namespace. (MW#60771)
  * SECURITY: Make token comparison use constant time. It seems like our token
    comparison would be vulnerable to timing attacks. This will take constant
    time. (MW#61346)
  * SECURITY: API: Don't find links in the middle of api.php links. (MW#61362)
  * Add sequence support for upsert in DatabaseOracle in the same way as in
    selectInsert (MW#53710)
  * Various fixes to job running code in Wiki.php: Make it async on Windows.
    Fixed possible "invalid filename" errors on Windows. Redirect output to
    dev/null to avoid hanging PHP. (MW#60231,MW#58719)
  * Correct sequence name for fresh Postgres installation. Spotted by gebhkla 
    (MW#60083)
  * Avoid variable naming conflicts in DatabasePostgres::selectSQLText. Spotted
    by gebhkla (MW#60531)
  * Fix rebuildall.php fatal error with PostgreSQL. The fix for MW#47055
    introduced a fatal error when running rebuildall.php. This is a workaround
    suggested by gebhkla on Bugzilla. It just checks to make sure $options is
    actually an array before calling array_search on it. (MW#60094)
  * Add error handling if descriptionmsg isn't defined for extension.
    (MW#43817c12)
  * Special:PrefixIndex omits stripprefix=1 for "Next page" link. (MW#60543)

-------------------------------------------------------------------
Wed Jan 29 10:33:57 UTC 2014 - jweberhofer@weberhofer.at

- upgraded to release 1.22.2 - security update

* Netanel Rubin from Check Point discovered a remote code execution
    vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal
    review also discovered similar logic in the PdfHandler extension, which
    could be exploited in a similar way. (CVE-2014-1610, bug 60339)
  * Check for very old PCRE versions in installer and updater (bug 58253)
  * Make WikiPage::$mPreparedEdit public (bug 60054)

-------------------------------------------------------------------
Tue Jan 14 09:43:00 UTC 2014 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.1 - security update

* bug MW-55332 allowed insertion of escaped CSS values which could pass the CSS
    validation checks, resulting in XSS. (CVE-2013-6451)
  * SVG files could be uploaded that include external stylesheets, which could
    lead to XSS when an XSL was used to include JavaScript. (CVE-2013-6452) MW-57550
  * SVG sanitization could be bypassed when the XML was considered invalid.
    (CVE-2013-6453) MW-58553
  * CSS sanitization did not filter -o-link attributes, which could be used to
    execute JavaScript in Opera 12. (CVE-2013-6454), MW-58472
  * MediaWiki displayed some information about deleted pages in the log API,
    enhanced RecentChanges, and user watchlists. (CVE-2013-6472, MW-58699)
  * Bawolff discovered an XSS vulnerability with the way the extension stored
    and used HTML for showing videos. (CVE-2013-4574, MW-56699)
  * NULL pointer dereference in php-luasandbox, which could be used for DoS
    attacks. (CVE-2013-4570, MW-54527)
  * Buffer Overflow in php-luasandbox. It's not know if this could be use for
    code execution on the server.  (CVE-2013-4571, MW-49705)
  * MediaWiki usernames could be leaked to other websites. Javascript returned
    for CentralAuth's login would update the page DOM with the username, even
    when included on other sites. (CVE-2013-6455, MW-57081)
  * Ravindra Singh Rathore reported a missing CSRF check to Mozilla, who
    reported the issue to us. Several other forms in the extension were also
    fixed. (MW-57025)
  * 1.22 tarball offers Extension SimpleAntiSpam which is supposed to be in core.
    (MW-59945)
  * Restore compatibility with curl < 7.16.2. (MW-58178) 
  * Updated the plural rules to CLDR 24. They are in new format which is
    detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the
    JavaScript evaluator were updated to support the new format. Plural rules for
    some languages have changed, most notably Russian. Affected software messages
    have been updated and marked for review at translatewiki.net.  This change is
    backported from the development branch of MediaWiki 1.23. (MW-56931)
  * The broken installer for database backend Oracle was fixed. (MW-58434)
  * The web installer no longer throws an exception when PHP is compiled
    without support for MySQL yet with support for another DBMS. (MW-58167)
  * Fixed a compatibility issue with PCRE 8.34 that caused pages to appear
    blank or with missing text. (MW-58640)
  * Changed FOR UPDATE handling in Postgresql (MW-47055)

-------------------------------------------------------------------
Mon Dec  9 08:34:19 UTC 2013 - jweberhofer@weberhofer.at

- Upgraded to release 1.22.0

* Anti-spam and countervandalism improvements ( Newly bundled: SimpleAntiSpam)
  * Editing improvements
  * Upgrades to Vector and other skins
    - The old Vector extension has been merged into core, and the extension has
      been discontinued. If you were previously using the Vector extension, you
      must uninstall it (the extension, not the skin) before upgrading to 1.22.
  * Support for Composer
  * PHP JSON extension now required
  * Several ancient skins removed
  * Blank system messages must be deleted
  * Protection rights usage has changed
  * Special:Disambiguations has been removed

- For details see releasenotes at: 
  https://www.mediawiki.org/wiki/Release_notes/1.22

-------------------------------------------------------------------
Wed Sep  4 09:03:33 UTC 2013 - jweberhofer@weberhofer.at

- Updated to release 1.21.2

*  SECURITY: Fix extension detection with 2 .'s

*  SECURITY: Support for the 'gettoken' parameter to action=block and
     action=unblock, deprecated since 1.20, has been removed.

*  SECURITY: Sanitize ResourceLoader exception messages

*  Purge upstream caches when deleting file assets.

*  Unit test suite now runs the AutoLoader tests. Also fixed the autoloading
     entry for the PageORMTableForTesting class though it had no impact.

-------------------------------------------------------------------
Tue Jun 11 14:02:10 UTC 2013 - jweberhofer@weberhofer.at

- Updated to release 1.21.1

* An incorrect version number was used for 1.21.0.
    1.21.1 has the correct number.

* A problem with the Oracle SQL table creation was fixed.

* PdfHandler extension: Fix warning if pdfinfo fails but pdftext succeeds.

-------------------------------------------------------------------
Mon May 27 14:18:11 UTC 2013 - jweberhofer@weberhofer.at

- Updated to release 1.21.0

* The full release notes can be found here:
    Updated to release candidate 1.21.0

- Highlights:

* Clearer email notifications

* The CologneBlue skin has been refactored

* ContentHandler: As part of the Wikidata initiative, 1.21 adopts an
    extensible framework ("ContentHandler") so that pages can contain something
    other than wikitext.
  
  * Support for high DPI displays

* Ajax patrolling: With this new feature, users can mark revisions or pages
    as having been "patrolled" with a single click while staying on the current
    page.

* Improved Internationalization

* It's now easier to create accounts for other users by sending a temporary
    password via e-mail

* More wikitext now supported in JavaScript messages

* Using semantic headings for the navigation menu

* Extended collation support

* Newly bundled extensions
    - Cite
    - ImageMap
    - Interwiki
    - Title Blacklist
    - SpamBlacklist
    - Poem
    - InputBox
    - LocalisationUpdate
    - SyntaxHighlight GeSHi

-------------------------------------------------------------------
Tue Apr  2 08:28:52 UTC 2013 - jweberhofer@weberhofer.at

- Updated to release candidate 1.21.0rc1

-------------------------------------------------------------------
Mon Mar  4 20:10:58 UTC 2013 - jweberhofer@weberhofer.at

- Maintenance release 1.20.3

* New preference type - 'api'. Preferences of this type are not shown on
    Special:Preferences, but are still available via the action=options API.

* #44010 Context is passed to UserGetLanguageObject.

* The recursion guard on RequestContext::getLanguage() was weakened.

* #40585 Don't drop 'step="any"' in HTML input fields.

* #44024 Fixed problems in ObjectCache when using XCache.

* #44135 Fixed problems in CurlHttpRequest that caused InstantCommons
    to longer work by default.

* #44010 FauxRequest leaked cookie data from primary request.

-------------------------------------------------------------------
Wed Dec  5 21:54:34 UTC 2012 - jweberhofer@weberhofer.at

- Maintenance release 1.20.2

* #42638 Fixes action=options&reset=1 in the API, and fixes unit tests.

* #42370 Fixes backport of 60cc060 to use mDoneWrites instead of
           mTrxDoneWrites.

-------------------------------------------------------------------
Fri Nov 30 10:18:13 UTC 2012 - jweberhofer@weberhofer.at

- Security release 1.20.1

* #42202: Validate options to prevent html injection

* #40995: Prevent session fixation in Special:UserLogin (CVE-2012-5391)

* #41400: Prevent linker regex from exceeding PCRE backtrack limit

* #40632: Remove CleanupPresentationalAttributes feature

* Javscript Lint fixes

* [Database] Fixed case where trx idle callbacks might be lost.

-------------------------------------------------------------------
Wed Nov  7 16:26:39 UTC 2012 - jweberhofer@weberhofer.at

- openSUSE distribution:

* simplified Apache configuration, using /w/ and /wiki/
    directories

* updated documentation

* there was a change in handling file-uploads. See:
    README.DISTRIBUTION.

- Minimum PHP version is now 5.3.2.

- New diff view, greatly improved in clarity especially for
  whitespace and other small changes and color-blind users.

- New special page Special:MostInterwikis.

- New magic word {{PAGEID}} which gives the current page ID.

- The info action has been reimplemented.

- Internationalization:

* New languages supported: Emilian (egl), Tornedalen Finnish (fit),
    Mizo (lus), Santali (sat), Turoyo (tru)

* New Cyrillic-Latin language converter for Uzbek (uz)

-------------------------------------------------------------------
Mon Oct 22 13:30:45 UTC 2012 - jweberhofer@weberhofer.at

- Update documentation (thanks to Platonides)

- Simplyfied Alias-Configuration,
  seperated pages (/wiki) and resources (/w)

-------------------------------------------------------------------
Thu Sep  6 14:55:57 UTC 2012 - jweberhofer@weberhofer.at

- Fixed requires ImageMagick-Magick++ --> ImageMagick; the old
  requirement was incomplete.

-------------------------------------------------------------------
Fri Aug 31 06:19:20 UTC 2012 - jweberhofer@weberhofer.at

- Security release 1.19.2

* bug #39700: File: link to non-existing file can inject html
 * bug #39823: Hidden block text leaking to admins
 * bug #39184: LDAP password leakage
 * bug #39180: Disallow framing of api results
 * bug #37587: Enforce language codes to be html safe
 * bug #39824: Check global blocks on account creation

-------------------------------------------------------------------
Mon Jun 25 21:56:00 UTC 2012 - jweberhofer@weberhofer.at

- Release 1.19.1
  * (bug 36568) Fixed "Illegal string offset 'LIMIT'" warnings in updater
  * (bug 36938) Correctly escape uselang attribute to prevent xss
  * Expanded Blacklist for SVG Files

-------------------------------------------------------------------
Fri May  4 20:08:48 UTC 2012 - jweberhofer@weberhofer.at

- Added /extensions folder to the Apache Alias Configuration

-------------------------------------------------------------------
Thu May  3 07:47:30 UTC 2012 - jweberhofer@weberhofer.at

- Release 1.19.0

* Bumped MySQL version requirement to 5.0.2.
* Disable the partial HTML and MathML rendering options for Math,
  and render as PNG by  default.
  * MathML mode was so incomplete most people thought it simply didn't work.
* New skins/common/*.css files usable by skins instead of having to copy
  piles of generic styles from MonoBook or Vector's css.
* The default user signature now contains a talk link in addition to the
  user link.
* Searching blocked usernames in block log is now clearer.
* Better timezone recognition in user preferences.
* Extensions can now participate in the extraction of titles from URL paths.
* The command-line installer supports various RDBMSes better.
* The interwiki links table can now be accessed also when the interwiki
  cache is used (used in the API and the Interwiki extension).

* More gender support (for instance in user lists).
* Add languages: Canadian English.
* Language converter improved, e.g. it now works depending on the page
  content language.
* Time and number-formatting magic words also now depend on the page
  content language.
* Bidirectional support further improved after 1.18.

- #36475 - Generating thumbnails does not work when there is no access to /tmp

-------------------------------------------------------------------
Wed May  2 07:12:59 UTC 2012 - jweberhofer@weberhofer.at

- Security release 1.18.3

* (bug 35446) Using "{{nse:}}" with an invalid namespace name no longer throws
  a PHP warning.
* (bug 35567) The whole password reminder e-mail is now sent in the same language.
* (bug 35961) Hash comparison should always be strict.
* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php
  on line 598.
* Fix broken email confirmation expiration caused by MWCryptRand changes.

-------------------------------------------------------------------
Fri Mar 23 12:51:06 UTC 2012 - jweberhofer@weberhofer.at

- Security release 1.18.2

* #33686 could not get a list of contributor for an article when using
 a SQLite database.
* #33865 Exception thrown in action=parse when attempting to use the title
  parameter without setting the text parameter.
* UserMailer could potentially throw a fatal error when a MailAddress object had
  an empty email address.
* #33087 Exchange server rejected mail sent by MediaWiki
* #34528 Edit section tooltips show correction section name again
* #34246 MediaWiki:Whatlinkshere-summary message is displayed again in
  Special:Whatlinkshere
* #22555 Remove or skip strip markers from tag hooks like &lt;nowiki&gt; in
  core parser functions which operate on strings, such as formatnum.
* #34212 ApiBlock/ApiUnblock allow action to take place without a token
  parameter present.
* #34907 Fixed exposure of tokens through load.php that could have facilitated
  CSRF attacks.
* #35317 CSRF in Special:Upload.

-------------------------------------------------------------------
Wed Feb  1 15:04:04 UTC 2012 - jweberhofer@weberhofer.at

- Improved extension handling (use a seperate directory)
- Improved scripts, fixed some minor bugs
- Improved handling of old extension replacement

-------------------------------------------------------------------
Tue Jan 31 11:43:19 UTC 2012 - jweberhofer@weberhofer.at

- Fixed bug 32486 - WebRequest::getPathInfo() broken in img_auth.php on DreamHost (edit)

-------------------------------------------------------------------
Wed Jan 11 22:47:18 UTC 2012 - jweberhofer@weberhofer.at

- 1.18.1

* (bug 33117) prop=revisions allows deleted text to be exposed through cache pollution.

* (bug 32712) Fix for search indexing of pages with certain unicode chars following URL.
* (bug 3901) Lang, hreflang attribs added to sidebar interlanguage links for screen readers.
* (bug 30774) mediawiki.html: Add support for numbers and booleans in the
  attribute values and element contents.
* (bug 32473) [[Special:PasswordReset]] can not be used on private wiki.
* (bug 32853) Fixed CACHE_DBA object cache type.
* (bug 32786) Backward compatibility for extension using 1.17's Database::newFromType().
* Fixed exception when using Special:WhatLinksHere on a Media: file.
* (bug 32709) Private Wiki users were always taken to Special:Badtitle on login.
* (bug 33240) Sort images are missing but referenced in css.
* (bug 31921) Magic words REVISIONDAY, REVISIONMONTH and REVISIONYEAR were
  not showing their values on preview.
* (bug 32702) Removed method Skin::makeGlobalVariablesScript() has been readded
  for backward compatibility.
* (bug 30172) The check for posix_isatty() in maintenance scripts did not detect
  when the function exists but is disabled. Introduced Maintenance::posix_isatty().
* (bug 33305) Make mw.util.addCSS resistant to IE's @font-face bug by setting
  cssText after DOM insertion.
* (bug 29102) Upgrades no longer fail with the error "Unknown character set: 'mysql4'.
* (bug 25355) Parser generates edit section links for special pages.
* (bug 33321) Adding a line to MediaWiki:Sidebar that contains a pipe, but doesn't
  have any pipes after being transformed by MessageCache, causes exception on
  all pages.
* Fixed recentchanges FK violation on page delete and cache purge error in updater
  for Oracle DB.

-------------------------------------------------------------------
Mon Dec 19 13:53:06 UTC 2011 - jweberhofer@weberhofer.at

- Fixed a update.sh script error

-------------------------------------------------------------------
Wed Nov 30 08:17:54 UTC 2011 - jweberhofer@weberhofer.at

- Updated Math-installation description

-------------------------------------------------------------------
Tue Nov 29 14:12:58 UTC 2011 - jweberhofer@weberhofer.at

- 1.18.0
  * jQuery 1.6.4 is now included as standard
  * action=watch / action=unwatch now requires a token
  * Included Extensions:
    - ConfirmEdit
    - Gadgets
    - Nuke
    - ParserFunctions
    - Renameuser
    - Vector
    - WikiEditor
  * Better gender support
  * Improved file metadata support
  * Improved directionality support
  * Easily find where to customize interface messages
  * New plugin for collapsible elements
  * Protocol-relative URLs
  * More personalisable styles and scripts
  * $wgEnableDublinCoreRdf and $wgEnableCreativeCommonsRdf
    no longer work in core
  * $wgUseTeX has been superseded by the Math extension
  * New languages

The full announement can be found at
  http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000105.html

-------------------------------------------------------------------
Tue Nov 29 10:09:31 UTC 2011 - jweberhofer@weberhofer.at

- 1.17.1
  * (bug 32276) Page titles on private wikis are exposed with
    index.php?curid=
  * (bug 32616) - action=ajax bypasses read permissions

-------------------------------------------------------------------
Mon Oct 10 15:15:00 2011 - opendevel@weberhofer.at

- Improved documentation
- Moved texvc to the /usr/bin directory
- Improved pre-configuration
- Fixed some paths which changed with Mediawiki 1.17
- Improved makealias.sh script

-------------------------------------------------------------------
Tue Jul 05 14:51:00 2011 - opendevel@weberhofer.at

- Fixed Bug 29531 - r89628 breaks img_auth.php

-------------------------------------------------------------------
Sun Jul 03 00:23:00 2011 - opendevel@weberhofer.at

- improved update script

-------------------------------------------------------------------
Wed Jun 22 08:29:00 2011 - opendevel@weberhofer.at

- 1.17.0
  * Fixed syntax error in generated LocalSettings.php when a non-default
    user rights profile is chosen.
  * (bug 29399) Fixed PostgreSQL installation when the DB user for
    installation is the same as the one for web access.
  * (bug 29233) Fixed failover for DB slave servers. When a DB slave
    went down, an error was immediately shown to the user, instead of
    trying another slave. Was broken since 1.17 beta 1.
  * (bug 29278) Fixed PHP fatal error when attempting to add text to a
    page via a redirect.
  * (bug 29408) Fixed uploads of files with MIME types that aren't
    detected by MediaWiki.

-------------------------------------------------------------------
Wed Jun 15 14:22:00 2011 - opendevel@weberhofer.at

- fixed a bug related to the texvc-configuration
- included patch to fix update on oss 11.4

-------------------------------------------------------------------
Wed Jun 15 12:00:00 2011 - opendevel@weberhofer.at

- 1.17.0rc1
  * A new installer has been introduced.
  * ResourceLoader, a new framework for delivering client-side resources
    such as JavaScript and CSS, has been introduced.
  * Category sorting has been improved.
  * The lowest supported version of PHP is now 5.2.3.
  * The full list of features is here:
    http://www.mediawiki.org/wiki/Release_notes/1.17

- The update-script removes inclusion of DefaultSettings.php from code

- The update-script moves the cache-folder out of the web-root

- Some improvements within the scripts have been made

-------------------------------------------------------------------
Thu May 05 00:00:00 2011 - opendevel@weberhofer.at

- 1.16.5
  * Bug 28534 - XSS in MediaWiki
  * Bug 28639 - Trivial account takeover using forged cookies possible
    when $wgBlockDisablesLogin = true

- Renamed and cleaned up additional scripts

-------------------------------------------------------------------
Sat Apr 30 00:00:00 2011 - opendevel@weberhofer.at

- Removed building of ZhConversion.php again, removed build-folder
- Added patch #87145, which automatically disables xcache on cli-invokes

-------------------------------------------------------------------
Fri Apr 29 00:00:00 2011 - opendevel@weberhofer.at

- Re-packaged sources in bz2 file
- Build ZhConversion.php
- Deny access to cache-folder

-------------------------------------------------------------------
Thu Apr 14 00:00:00 2011 - opendevel@weberhofer.at

- 1.16.4
  * Bug 28507 - XSS: Incorrect patch for bug 28235

- RPM Packaging
  * The proposed apache configuration contains the new RewriteRule to
    workaround the vulnerability

-------------------------------------------------------------------
Tue Apr 12 00:00:00 2011 - opendevel@weberhofer.at

- 1.16.3
  * Bug 28235 - XSS: IE6 looks for the file extension in the query string
  * Bug 28450 - Backslash-escaped comments allow CSS injection vulnerability
  * Bug 28449 - Unauthorised access to transwiki import

- RPM Packaging
  * Mediawiki_MakeAlias.sh script to generate new mediawikis has been added
  * Mediawiki_Update.sh script has been added to update all wikis
  * spec file has been simplified
  * configuration file has been improved

-------------------------------------------------------------------
Wed Feb 02 00:00:00 2011 - opendevel@weberhofer.at

- 1.16.2
- (bug 26642) Fixed incorrect translated namespace due to a regression in the
  language converter.
- The interface translations were updated.
- (bug 27093, CVE-2011 --0047): Fixed CSS injection vulnerability.
- (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
  Affects Windows servers only. A malicious file with extension ".php" must
  exist on the server for the exploit to be effective.

-------------------------------------------------------------------
Mon Jan 24 00:00:00 2011 - opendevel@weberhofer.at

- 1.16.1
- (bug 26561) Clickjacking vulnerabilities
- (bug 24981) Allow extensions to access SpecialUpload variables again
- (bug 24724) list=allusers was out by 1 (shows total users - 1)
- (bug 24166) Fixed API error when using rvprop=tags
- For wikis using French as a content language, Special:Téléchargement
  works again as an alias for Special:Upload.
- (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in
  1.16.0)
- (bug 25248) Fixed paraminfo errors in certain API modules.
- The installer now has improved handling for situations where
  safe_mode is active or exec() and similar functions are disabled.
- (bug 19593) Specifying --server in now works for all maintenance
  scripts.
- Fixed $wgLicenseTerms register globals.

-------------------------------------------------------------------
Mon Oct 18 00:00:00 2010 - opendevel@weberhofer.at

- replace image duplicates with symlinks
- move .htaccess rules into central configuration
- add api.php as a direct alias

-------------------------------------------------------------------
Sun Oct 17 00:00:00 2010 - opendevel@weberhofer.at

- move docs to default docs directory
- some fixes in documentation
- Added fdupes

-------------------------------------------------------------------
Sat Oct 16 00:00:00 2010 - opendevel@weberhofer.at

- include math extension's directory in the mediawiki package
- Improve Apache configuration
- Improve Documentation for short URLs
- Make the cache directory visible

-------------------------------------------------------------------
Wed Oct 13 00:00:00 2010 - opendevel@weberhofer.at

- Moved texcv to a seperate package
- build a noarch package

-------------------------------------------------------------------
Mon Oct 11 00:00:00 2010 - opendevel@weberhofer.at
- Initial package derived from an old opensuse version
- New, FHS compliant structure
- Update to mediawiki 1.16

Places

File mediawiki.changes of Package mediawiki

Places