@@ -8,7 +8,7 @@ PHP 8.5 workboard: https://phabricator.wikimedia.org/tag/php_8.5_support/
88
99== MediaWiki 1.45.1 ==
1010
11- THIS IS NOT A RELEASE YET
11+ This is a security and maintenance release of the MediaWiki 1.45 branch.
1212
1313=== Changes since 1.45.0 ===
1414* Localisation updates.
@@ -20,14 +20,31 @@ THIS IS NOT A RELEASE YET
2020* (T411968) Installer: Do not use null as array offset.
2121* Add support for HTTP/3 in MultiHttpClient.
2222* (T411968) EditResultBuilder: Do not use null as array offset.
23+ * Add http/3 to runMulti in MultiHttpClient
24+ * (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in
25+ Special:ApiSandbox.
26+ * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment
27+ links.
28+ * (T405859, CVE-2025-67476) SECURITY: Do not use importers IP in case of
29+ external rev author.
30+ * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail
31+ encoded-words.
32+ * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide
33+ underscore in data-* attribute names.
34+ * (T401053, CVE-2025-67480) SECURITY: Check read permissions in
35+ ApiQueryRevisionsBase.
36+ * (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape
37+ 'comma-separator' between multiple protection levels.
38+ * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side
39+ messages (jqueryMsg).
2340
2441== MediaWiki 1.45.0 ==
2542
2643=== Changes since MediaWiki 1.45.0-rc.0 ===
2744* Localisation updates.
2845* (T410913) SpecialVersion: Fix "Cannot use bool as array" warning.
2946* (T410928) resourceloader: Fix null offset in ClientHtml module sorting.
30- * (T401987, T401995) SECURITY: Disable xslt option by default.
47+ * (T401987, T401995, CVE-2025-67484 ) SECURITY: Disable xslt option by default.
3148* (T410934) Remove noop xml_parser_free() calls.
3249* (T405450) session: Use fresh MW services container in CLI mode.
3350* (T410912) MessageCache: Fix PHP 8.5 warning from ord().
0 commit comments