+= MediaWiki 1.23 =
+
+== MediaWiki 1.23.13 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.12 ===
+* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
+
+== MediaWiki 1.23.12 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.11 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+
+== MediaWiki 1.23.11 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.10 ===
+
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.23.10 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.9 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* (bug 67644) Make AutoLoaderTest handle namespaces
+* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+
+== MediaWiki 1.23.9 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.8 ===
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+ to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+ likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+ prevent XSS and protect viewer's privacy.
+* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
+ update.php to fix.
+* (bug T70087) Fix Special:ActiveUsers page for installations using
+ PostgreSQL.
+
+== MediaWiki 1.23.8 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.7 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
+== MediaWiki 1.23.7 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.6 ===
+
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+ $wgMangleFlashPolicy.
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+ model.
+* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
+ HTML, it is not safe to preview wikitext coming from an untrusted source such
+ as a cross-site request. Thus add an edit token to the form, and when raw HTML
+ is allowed, ensure the token is provided before showing the preview. This
+ check is not performed on wikis that both allow raw HTML and anonymous
+ editing, since there are easier ways to exploit that scenario.
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+ Bawolff.
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
+
+== MediaWiki 1.23.6 ==