Bump to 1.5alpha2

[lhc/web/wiklou.git] / RELEASE-NOTES

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 765d769..d818a32 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -4,6 +4,24 @@ Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
 
+== MediaWiki 1.5 alpha 2 ==
+
+June 3, 2005
+
+MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
+and a security update.
+
+Incorrect handling of page template inclusions made it possible to
+inject JavaScript code into HTML attributes, which could lead to
+cross-site scripting attacks on a publicly editable wiki.
+
+Vulnerable releases and fix:
+* 1.5 prerelease: fixed in 1.5alpha2
+* 1.4 stable series: fixed in 1.4.5
+* 1.3 legacy series: fixed in 1.3.13
+* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended
+
+
 == MediaWiki 1.5 alpha 1 ==
 
 May 3, 2005
@@ -242,6 +260,7 @@ Various bugfixes, small features, and a few experimental things:
 * (bug 684) Accept an attribute parameter array on parser hook tags
 * (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
   LDAP authentication plugin
+* (bug 2034) Armor HTML attributes against template inclusion and links munging
 
 
 === Caveats ===