Author: Thijs Kinkhorst
Revision Date: 2015-04-06 16:53:54 UTC

* Non-maintainer upload.
* Add patch fixing several security issues:
  - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
     contain XML entities, to prevent various DoS attacks.
  - (bug T88310) SECURITY: Always expand xml entities when checking
    SVG's.
  - (bug T73394) SECURITY: Escape > in Html::expandAttributes to
    prevent XSS.
  - (bug T85855) SECURITY: Don't execute another user's CSS or JS
    on preview.
  - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
    fixed in SVG filtering to prevent XSS and protect viewer's
    privacy.

Author: Thijs Kinkhorst
Revision Date: 2015-04-06 16:53:54 UTC

* Non-maintainer upload.
* Add patch fixing several security issues:
  - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
     contain XML entities, to prevent various DoS attacks.
  - (bug T88310) SECURITY: Always expand xml entities when checking
    SVG's.
  - (bug T73394) SECURITY: Escape > in Html::expandAttributes to
    prevent XSS.
  - (bug T85855) SECURITY: Don't execute another user's CSS or JS
    on preview.
  - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
    fixed in SVG filtering to prevent XSS and protect viewer's
    privacy.

Author: Thijs Kinkhorst
Revision Date: 2015-04-06 16:53:54 UTC

* Non-maintainer upload.
* Add patch fixing several security issues:
  - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
     contain XML entities, to prevent various DoS attacks.
  - (bug T88310) SECURITY: Always expand xml entities when checking
    SVG's.
  - (bug T73394) SECURITY: Escape > in Html::expandAttributes to
    prevent XSS.
  - (bug T85855) SECURITY: Don't execute another user's CSS or JS
    on preview.
  - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
    fixed in SVG filtering to prevent XSS and protect viewer's
    privacy.

Author: Sebastien Delafond
Revision Date: 2014-12-21 13:03:27 UTC

* CVE-2014-9277: Fix regression introduced by previous patch.
* Add patch fixing T76686: thumb.php outputs wikitext message as raw
  HTML, which could lead to xss. Permission to edit MediaWiki namespace
  is required to exploit this.

Author: Jonathan Wiltshire
Revision Date: 2013-09-08 19:53:58 UTC

CVE-2013-4302: apply patch from upstream to prevent
access to anti-CSRF tokens via JSONP

Author: Thorsten Glaser
Revision Date: 2012-08-03 17:22:02 UTC

* prevent <table></table> without any <tr /> inside, globally
* fix more cases of not checking $wgHtml5
* MW’s ID (XML) sanitiser is there for a reason, use it!

Author: Jonathan Wiltshire
Revision Date: 2011-12-18 23:19:40 UTC

Security fixes from upstream (Closes: #650434):
CVE-2011-4360page titles on private wikis could be exposed
bypassing different page ids to index.php
CVE-2011-4361action=ajax requests were dispatched to the
relevant function without any read permission checks being done
CVE-2011-1578XSS for IE <= 6
CVE-2011-1579CSS validation error in wikitext parser
CVE-2011-1580access control checks on transwiki import feature
CVE-2011-1587fix incomplete patch for CVE-2011-1578