- Use %autosetup macro. Allows to eliminate the usage of deprecated
   %patchN, prepare for RPM 4.20

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.6
  Security and maintenance release
  * Localisation updates.
  * Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0.
  * Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0.
  * (T344912) mail: Encode period (ascii 46) if it appears in
    encoded email header.
  * Added symfony/polyfill-php82.
  * Added symfony/polyfill-php83.
  * Updated symfony/yaml from 5.4.10 to 5.4.23.
  * (T329609) ApiQueryLanguageinfoTest: Do not pass a float to
    setFakeTime.
  * Updated wikimedia/timestamp from 4.0.0 to 4.1.1.
  * tests: Provide coverage for StatusValue::__toString.
  * StatusValue: Improve logging/debug output with multibyte
    characters.
  * (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped
    messages used in rights log.
  * Updated wikimedia/parsoid from 0.16.1 to 0.16.2.
  * (T229992) LocalisationCache: Preserve fallback source
    language info.
  * (T275085) Fix logging Status objects to 'authevents' channel.
  * (T341310) DEVELOPERS.md: mention git clone and WSL.
  * (T351758) DEVELOPERS.md: reword WSL instructions to include
    best practices.
  * (T349115) LocalisationCache: Fix a rare case in fallback
    source language.
  * SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null
    to parameter #1 ($string) of type string is deprecated".
  * maintenance: Add missing parenthesis to SQL
    in attachLatest.php.
  * (T353472) maintenance: Fix join condition in
    DeduplicateArchiveRevId.

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.5
  Security and maintenance release
  * Localisation updates.
  * (T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
    self-redirects with variants conversion.
  * docs: Fix a few typos in MainConfigSchema.
  * (T309714) mime: Add support for 'font/sfnt' mime type.
  * (T341434) WikiImporter: Improve error message output.
  * (T317255) VueComponentParser: Use Zest's getElementsByTagName()
    rather than PHP's.
  * (T341737) ApiBase: Cast $id to string in filterIDs.
  * (T286291, T296188) Merge zh and zh-tw namespace translations
    back to zh-hans, zh-hant, zh-hk respectively.
  * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the
    nearest integer.
  * (T237898) installer: Check MariaDB version in updater/installer.
  * (T342632) ApiComparePages: Add help url.
  * (T326182, T324903) EditPage: Add #[AllowDynamicProperties].
  * (T342351) rdbms: Fix postgres db function call.
  * (T343675) user: Use {@} to escape annotation when writting
    about annotation.
  * (T343797) LanguageWa: Fix double timezone adjustment.
  * (T326454) Update pear/mail to 1.5.1.
  * (T343622) docs: Set the <comment> tag back to optional.
  * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
  * (T337463) wdio-mediawiki: await saveScreenshot.
  * (T274041) Include core PSR-4 classes in the generated classmap.
  * (T208477) $wgPrivilegedGroups – Users belonging in some of the
    listed groups will be audited more aggressively.
  * doc: Improve description of "type" in extension.schema.v2.json.
  * Added PrivilegedGroups attribute for extension.json / skin.json,
    which lets you add any new user groups you define to 
    wgPrivilegedGroups (see above).
  * HTMLForm: Fix E_NOTICE when hide-if is used with
    setFormIdentifier.
  * (T288624) MultiHttpClient: Unset $this->cmh after closing it.
  * (T345039) Do not run SkinAfterBottomScripts hook twice
    unconditionally.
  * (T265734) API Help: Note that parameters may be inherited from
    other context.
  * API: Make continue parameter help description more specific.
  * (T285545) i18n: Split apihelp for standard dir parameter.
  * (T285545) i18n: Split apihelp for 
    redirects/linkshere/transcludedin/fileusage show.
  * (T285545) i18n: Split apihelp for parameter
    list=deletedrevs&drprop=.
  * (T285545) i18n: Split apihelp for parameter
    list=allpages&apprexpiry=.
  * (T285545) i18n: Split apihelp for parameter
    action=opensearch&redirects=.
  * (T285545) i18n: Split apihelp for parameter
    action=managetags&operation=.
  * (T285545) api: Add message for list=watchlist&wlprop=expiry.
  * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2
    is installed.
  * (T342633) api: Add message for action=compare&prop=timestamp.
  * API: revids=… does not necessarily return the queried revisions.
  * (T326696) user: Truncate option value in UserOptionsManager.
  * (T326696) ApiOptions: Give warning if the value is too long.
  * API i18n: Add {{PLURAL:}} for byte count messages.
  * (T235207) Get correct main page in API call examples.
  * doc: Make extension.schema.v2.json a valid JSON schema.
  * updateSpecialPages.php: Avoid implicit float conversion
    on modulo.
  * (T347227) ImportReporter: Make callback functions public.
  * (T346898) importDump: Unconditionally call
    $importer->setUsernamePrefix().
  * doc: Improve description of type in extension.schema.v1.json.
  * (T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous
    unescaped messages leading to potential XSS.
  * (T340220, CVE-2023-PENDING) SECURITY: Vector 2022:
    vector-intro-page message is assumed to yield a valid title.
  * (T340221, CVE-2023-PENDING) SECURITY: XSS via 
    'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
  * (T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser
    ("X intermediate revisions by the same user not shown") ignores
    username suppression.
  * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading
    crafted XML file to Special:Upload (non-standard configuration).

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.4
  Security and maintenance release
  * Localisation updates.
  * (T333990) composer.json: Explicitly pin psr/http-message to
    1.0.1.
  * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
    (2.4.0 => 2.4.5).
  * (T333776) Template:ACTIVEUSERS wasn't being updated without
    updateSpecialPages.php.
  * (T258860) Prevent LogicCache exception from message cache
    during IO errors from memcache.
  * (T336868) Improve idempotency of postgres index upgrades.
  * (T322944) Add Authorization to default $wgAllowedCorsHeaders.
  * (T332889, CVE-2023-36675) SECURITY: Fix escaping in
    BlockLogFormatter.
  * A fake MessageLocalizer for use in unit tests.
  * (T338114) Title: Add forward alias.
  * composer: Add symfony/polyfill-php81 like
    symfony/polyfill-php80.
  * (T330464) Work around argument corruption bug in
    XMLReader::open.
  * Fix frame and frameless rdfa depending on file existing.
  * Fixes for the phan upgrade, part 1.
  * Fixes for the phan upgrade, part 2.
  * (T298571) build: Update mediawiki/mediawiki-phan-config
    to 0.12.0.
  * build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
  * (T329214) Pass whether current rev of file exists to
    Linker::makeBrokenImageLinkObj.
  * (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
  * A manualthumb that doesn't exist should be considered a
    thumb error.
  * (T313157) IndexPager: Also protect against $offset being 0.
  * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup
    to Linker.

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.3
  Security and maintenance release
  * Localisation updates.
  * (T225218) LinksUpdate: Use DB key for category links table.
  * GlobalFunctions: Remove check for MEDIAWIKI constant.
  * (T329484) API: Fix query+allimages user parameter description.
  * (T330529) SpecialEditTags: Set default of '' for wpReason.
  * (T330382) postgres: Make the upgrade ignore dropping indexes
    that might not exist.
  * (T330526) htmlform: Handle null from HTMLFormField::getDefault
    in multiselects.
  * (T291753) rdbms: escape backslashes in makeConnectionString
    for PostgreSQL.
  * (T325529) Fix total breakage of wgCanonicalServer fallback.
  * (T318103) mediawiki.storage: Disable async GC during
    integration test.
  * (T332461, T332397) TempFSFile: Keep the WeakMap alive.
  * (T332902) page: fix InvalidArgumentException in
    SQLPlatform::makeList.
  * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to
    untrusted XFF headers.
- Fix some rpmlint warnings

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.2
  Maintenance release
  * Localisation updates.
  * (T325872) ChangeTags: Remove table name from condition.
  * (T324895) MWCallbackStream: Add explicit $stream property.
  * (T297031, T326039) PostgresUpdater: Move setDefault ahead of
    changeNullableField.
  * (T321319) Produce HTML for invalid JSON.
  * (T215466, T326071) MigrateActors: Write to revision table
    (Follow-up 24115a8).
  * (T223027) ReservedUsernames config: Add reserved names from
    maintenance scripts.
  * (T325000, T324896, T307631) Updated OOUI from v0.44.3
    to v0.44.5.
  * Remove /images .htaccess rules that are no longer relevant.
  * Disable php in .htaccess of images directory as a hardening
    measure.
  * (T322583) Include missing message parameter in message.
  * LocalFileTest: use encodeBlob/decodeBlob for img_metadata.
  * DatabaseSqlite: fix null blobs.
  * rdbms: avoid pg_escape_bytea() call-style deprecation notices.
  * (T322278) Improve LocalisationCache post-merge validation check.
  * (T324408, T326367) Updated wikimedia/remex-html from 3.0.2
    to 3.0.3.
  * (T322278) Fix the remaining Phan failures on PHP 8.1.
  * (T322278, T326367) Respond to some messages from Phan on 
    PHP 8.1.
  * Fix phan error when Excimer is enabled.
  * (T326021) Add matrix: to $wgUrlProtocols.
  * (T314099) stream wrapper: Declare $context class property.
  * (T314099) libs\jsminplus: Declare JSNode::$expression.
  * (T314096) composer.json: Updated composer/spdx-licenses from
    1.5.6 to 1.5.7.
  * (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1).
  * (T308536) rdbms: Remove deprecation mark for $wgSharedDB.
  * (T215466, T326071) installer: Split drop action out of the SQL
    patch for actor migration.
  * (T322603) SqliteMaintenance.php: Fix fatally broken instanceof
    check.
  * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder.
  * api/en.json: api-help-datatype-expiry add missing 'may'.
  * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect
    code.
  * (T328222) Pass empty string to strlen() if schema is null for
    PostgresDatabase.
  * (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
  * (T155582, T328503) Fix XML dumps for content types with
    non-string getNativeData().
  * (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being
    released.
  * (T314099) revisiondelete: Replace dynamic property
    Status::$itemStatuses
  * (T327821) skin: Restore default 'value' attribute in
    makeSearchButton().
  * (T329198) ParamValidator: Improve paramvalidator-help-multi-max
    message.
  * (T329415) Clear the statsd data buffer regardless of
    StatsdServer config.
  * (T292348) WikiImporter: do not fail if upload entry in dump
    lacks 'text' tag.
  * (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if
    no path.
  * (T324894 TempFSFile: Use a WeakMap for reference tracking
    if available.
  * (T295637) Add no to fallback chain of nb and nn.

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.1
  Security and maintenance release
  * Localisation updates.
  * PostgresUpdater: Remove trailing space from 'user_id ' column.
  * (T304515) LCStoreStaticArray: atomically replace the cache file.
  * (T324516) postgres: Fix upgrade for templatelinks primary key.
  * (T324890, T324891, T324901) Parser: Allow dynamic properties
    on PHP 8.2.
  * (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists.
  * (T314099) OutputPage: Remove unused dynamic property
    ParserOptions->isBogus.
  * (T314099) api: Remove use of undeclared property in
    action=comparepages.
  * Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6).
  * (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1).
  * Updated pear/mail (v1.4.1 => v1.5.0).
  * Removed wikimedia/dodo (v0.4.0).
  * (T324910) On pages using multi-content revisions, the raw
    content of a specific slot can be retrieved using the
    action=raw&slot=<role-name> query parameters.
  * (T322637) SECURITY: sqlite should not create DB file
    world-readable.

• Files Changed
• Browse Source

- Update to Mediawiki 1.39.0
  * MediaWiki 1.39 is an LTS and is due to be supported until the
    end of November 2025.
  * Please visit and read before update:
    https://www.mediawiki.org/wiki/Release_notes/1.39
- Update Requires to php > 7.4.3 and < 8.2.0
- Rebase and rename mediawiki-use-localsettings-from-webroot.patch

• Files Changed
• Browse Source

- Update to Mediawiki 1.37.6
  Maintenance release
  * Fix missing use statement from backport of fix for T307278.
- Changes in Mediawiki 1.37.5
  Security and maintenance release
  * Localisation updates.
  * (T312519, T312520) Parser::extensionSubstitution() Don't run
    substr() on null.
  * (T287564) populateInterwiki: Include not null columns
    iw_api/iw_wikiid.
  * (T312302) SpecialRedirect: Don't pass null to explode.
  * RemoveInvalidEmails: Fix quoting for postgres.
  * (T312678) import: UploadSourceAdapter::stream_read() don't
    pass null to strlen().
  * (T312300) SpecialDiff: Don't pass null to explode().
  * (T312680) parser: Fix CoreParserFunctions::urlencode() null
    coalescence $arg.
  * (T289926) Handle null passed to wfShorthandToInteger()
    and Html::element().
  * (T289926) Ensure that strlen() does not get passed a
    (valid) null.
  * (T312301) SpecialDiff: Don't pass null to trim().
  * Hooks: Use more meaningful name for SkinAfterPortlet hook
    parameter.
  * (T289926) Ensure we don't pass null to mb_strlen.
  * (T312305, T311572, T311571, T311578) HtmlForm: Null
    coalescence in trim() calls.
  * (T289926) site: Consistently return null from
    Site::getDomain().
  * (T307304, T289879) filebackend,jobqueue: Add signature for
    FilterIterator::accept().
  * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test
    mock for PHP 8.1.
  * Add application/vnd.ms-opentype to MIME list.
  * Allow composer/installers plugin in composer.json.
  * Change type hints for BatchRowIterator and NotRecursiveIterator
    for compatibility with PHP 8.1.
  * (T313663) [php8.1] Change override of $wgResourceBasePath for
    CSP tests.
  * (T313663) parser: Mock WikiPage::getContentModel in
    ParserCacheTest to fix php8.1.
  * (T313663) [php8.1] Make WikiImporterFactoryTest use better
    mock for ImportSource.
  * Fix tests so getName() doesn't return null.
  * (T313663) [php8] Don't use strlen on potentially null string.
  * (T313663) [php8.1] Suppress test warning about providing null.
  * (T313663) Parser will use current timestamp instead of null
    if passed a RevisionRecord that does not have a timestamp.
  * (T313663) Add explicit null check for $sha in FileBackend
    [php8.1].
  * (T313663) LogFormatter: Cast argument of ctype_digit to string
    [php8.1].
  * (T313663) Mock UserOptionsManager::getOption for php8.1.
  * (T289879, T289926) Get rid of warnings on PHP 8.1.
  * (T313663) Check for null return of preg_replace in
    MediaWikiTitleCodec.
  * (T313663) cast db name to string when checking if it is read
    only [php8.1].
  * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo
    [php 8.1 compat].
  * Fix a couple deprecation warnings in the installer under
    PHP 8.1.
  * (T313663) Use default timezone UTC for SpecialWatchlistTest
    [php 8.1].
  * (T313663) Mock User::getTitleKey in SpecialPreferencesTest
    [php 8.1].
  * (T314096) Migrate use of ${var}-style string interpolation.
  * (T314099) preprocessor: Add missing field declarations.
  * (T313663, T313662) Make default value for optional args
    {{PAGESINCAT:..}} be '' not null.
  * (T314225) SpecialCategories: Null coalescene $par.
  * (T314099) User: Allow dynamic properties on PHP 8.2.
  * (T314397) SpecialBlock: Better handle null in
    getTargetUserTitle.
  * (T314099) phpunit: Fix trivial dynamic property usages
    in tests.
  * (T314405) UploadStash: Check if us_prop is set in the
    fileMetadata.
  * (T313663) Make ChangesListSpecialPageTest cast to string
    for php 8.1.
  * (T313663) Do not test giving a null fragment to
    Title::makeTitle.
  * (T314550) SpecialMergeHistory: Set timestamp to '' if no
    mergepoint.
  * (T314551) SpecialMergeHistory: Set defaults for target and
    dest parameters.
  * api: Add rel=nofollow to help examples.
  * (T307613) Validate length of user email on
    Special:ChangeEmail/Special:CreateAccount.
  * (T314226) LoginSignupSpecialPage: Check if $value is a string
    before length.
  * (T314824) tests: Update parser test after i18n change.
  * (T295958, T278847) MediaWiki-Docker: Switch PHP images to
    PHP7.4.
  * (T314906, T314907) SpecialBlock: Set defaults for
    wpPageRestrictions and wpNamespaceRestrictions.
  * (T315309) ImportStreamSource::newFromURL() Prevent passing
    null to fwrite.
  * (T315892) composer.json: Pin phpunit to 8.5.28.
  * (T313049) Bump wikimedia/parsoid to v0.14.2.
  * (T317750) session: Fix broken SessionTest case due to PHPUnit
    dependency change.
  * (T318079) SpecialEditTags: Set default value of wpTagsToRemove
    to empty array.
  * (T318460) SpecialChangeEmail: Set default for returntoquery.
  * (T318307) Update docs for HTMLFormField::validate() to permit
    all data types.
  * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't
    update results in an IP range check on Special:Contributions.
  * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes
    existence of hidden users.
  * (T307278, CVE-2022-41766) SECURITY: On action=rollback the
    message "alreadyrolled" can leak revision deleted user name.

• Files Changed
• Browse Source

- Update to Mediawiki 1.37.4
  Maintenance release
  * Localisation updates.
  * (T311568) UploadBase::setTempFile() handle $tempPath being
    passed as null.
  * (T311559) SpecialListFiles: user parameter isn't always present.
  * (T311561) ImageListPager: Don't call htmlspecialchars() on null.
  * (T311920) SpecialBlockList: Prevent passing null to trim().
  * (T311921) SpecialUserrights: Don't pass null to str_replace.
  * (T311570) SpecialWithoutInterwiki: Don't pass null through to
    Title::capitalize().
  * (T311574, T311576) SpecialLinkSearch: Don't pass null through
    to the parser.
  * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
  * (T296435, T297669) cache: Add four fields to
    LinkCache::getSelectFields.
- Changes since Mediawiki 1.37.3
  Security and maintenance release
  * Localisation updates.
  * (T289879) Type hints for ArrayAccess and JsonSerializable.
  * (T304783) TemplateParser: avoid warnings when called by
    NoLocalSettings.
  * Rebuilt vendor with composer 2.3.3.
  * Fix old_name in UserLogoutComplete hook.
  * (T289879) Address some deprecations for PHP 8.1.
  * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup()
    deferred update.
  * (T309114) LocalFile::prerenderThumbnails: Limit the number of
    thumbnail jobs triggered.
  * (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
  * (T308471) SECURITY: Escape welcomeuser message passed to
    showSuccessPage().
  * (T308473) SECURITY: Escape contributions-title msg for use
    within page title.
  * (T311272) Call parent constructor of AddSite maintenance
    script first.
  * MediaWiki: Don't eagerly initialize action name.
  * Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
  * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0
    to 7.4.5.
  * (T289926) Avoid passing null to trim() in SkinTemplate.
  * (T311473) rollbackEdits: Pass user identity to RollbackPage.
  * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
  * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key
    is null.
  * (T311552) ChangesListSpecialPage: Don't pass null to
    FormatJson::decode().
  * (T311569) FileBackend::isStoragePath() Handle being passed null.
  * (T311544) Pass int to ApiUsageException::newWithMessage()'s
    $httpCode param.
  * (T311678) SpecialEditWatchlist: Prevent passing null to
    strtolower().
  * (T281741) ChangeTags: Fix adding CSS classes for hidden tags.
  * (T296642) changetags: Fix management of a '0' tag.
  * (T311554) ChangeTags: Return early in formatSummaryRow() if
    $tags === null.
  * (T303033) Handle null in ChangeTags::modifyDisplayQuery.
  * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.

• Files Changed
• Browse Source

- Update to Mediawiki 1.37.2
  Security and maintenance release
  * (T298261) Fix support for Composer 2.2.
  * (T298283) composer.json: Add wikimedia/composer-merge-plugin
    to allow-plugins.
  * Update doctrine/dbal (3.0.0 => 3.1.5).
  * (T296898) Add entry point name to disabled Session exception
    if possible.
  * (T298564) MemcachedClient: Add support for IPv6.
  * (T297543, CVE-2022-28202) SECURITY: properly escape output used
    within galleries and Special:RevisionDelete.
  * (T289956) WatchAction: Fix bug that prevents showing proper
    success message in the noscript fallback mode.
  * (T268847) Suppress deprecation warnings from
    libxml_disable_entity_loader().
  * (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest.
  * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
  * (T275673) objectcache: Avoid getCurrentTime() call in
    MapCacheLRU::has().
  * (T275673) objectcache: split up MapCacheLRU::getAge() to avoid
    conditional overhead.
  * Fix the json schema and the extension processor for Parsoid
    extension modules.
  * (T299696) update.php: Avoid passing null to substr.
  * (T195807, T256401) Fix signature of
    DatabasePostgres::buildGroupConcatField.
  * In PHP 8.1 don't throw exceptions from mysqli.
  * (T289926) SiteConfiguration: Don't pass null to str_replace().
  * (T264735) Fix deprecation warning from CURLPIPE_HTTP1.
  * (T260735) Stop using is_resource() where possible.
  * (T289879) Apply ReturnTypeWillChange to various implementations
    of built in interfaces.
  * (T299312) Implement __serialize/__unserialize for
    PHP 8.1 support.
  * ExtensionRegistry: Add process cache for lazy attributes.
  * (T301041) ApiPageSet: Add "missing": true to missing revisions.
  * Allow ParsoidModules extension schema to register services.
  * (T300462) SpecialUndelete: Do not show empty comments
    as deleted.
  * (T297708) Allow setting max execution time to several
    special pages.
  * (T205349) LinkCache: Try invalidating cache before throwing.
  * (T302540) composer.json: Add ext-calendar to require.
  * (T302540) composer.json: Add ext-simplexml to require-dev.
  * (T302540) composer.json: Add various PHP extensions to suggests.
  * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
  * (T304008) Don't re-check "Move subpages" on Special:MovePage
    after a warning.
  * (T293576) listFiles: Display file name instead of version.
  * (T303871) Fix @since of Title::getId().
  * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
  * wrapOldPasswords: add \n to two output calls.
  * (T297571, CVE-2022-28201) Title::newMainPage() goes into an
    infinite recursion loop if it points to a local interwiki.
  * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki
    with many file uploads with actor as a condition can result
    in a DoS.
  * (T297754, CVE-2022-28204) Special:WhatLinksHere can result in
    a DoS when a page is used on a extremely large number of other
    pages.

• Files Changed
• Browse Source

- Update to Mediawiki 1.37.1
  Security and maintenance release
  * (T296112) Allow inserting new sections named '0'.
  * Fix path for ZhConversion.php.
  * nukeNS: don't run purgeRedundantText() after every change.
  * (T286779, T297031) installer: Fix Postgres mistakes in using
    changeField method.
  * (T225888) RollbackAction: fix missing pagetitle.
  * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix
    permissions checks in undo actions.
  * (T297574, CVE-2021-45038) SECURITY: Fix permissions check
    in action=rollback.
  * (T34716, T297416) SECURITY: Require 'read' right for most
    actions.
  * (T271037, CVE-2021-44856) SECURITY: Fix use of
    EditFilterMergedContent hook when changing content model.

• Files Changed
• Browse Source

- Update to Mediawiki 1.37.0
  Read the full release notes at
  https://www.mediawiki.org/wiki/Release_notes/1.37

• Files Changed
• Browse Source

- Update to Mediawiki 1.36.2
  Security and maintenance release
  * Don't access MWServices prematurely in Maintenence.php.
  * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode.
  * Installer: Fix foundation.wikimedia.org link in
    config-pingback-help.
  * (T283273) Make postgres IRC channel point to libera.chat.
  * composer.json: Promote and pin monolog/monolog to require
    from require-dev.
  * (T287526) JavaScriptMinifer: Recognize `...` as a single token.
  * (T287526) Update wikimedia/minify to 2.2.4.
  * (T289108) ExtensionProcessor: Remove loaderScripts from
    extension.json schemas.
  * (T281549) Installer: Fix mediawiki-announce auto subscription
    code.
  * FormatJson: Optimize encode() for supported PHP versions.
  * (T290398) renameRestrictions.php: Update protected_titles
    as well.
  * (T290489) objectcache: Fix PHP warning for
    ReplicatedBagOStuff::setMulti.
  * $wgMimeTypeBlacklist - This configuration array now prohibits
    the RFC 4329 form of JavaScript, 'application/javascript',
    as well as previous MIME types.
  * (T51097, T290273) resourceloader: Call getStyleFiles from
    FileModule::getFileHashes.
  * (T277788) parser: Avoid calling ParserOptions::getOption()
    too many times.
  * (T291244) Unserialize objects in ParserCache->mExtensionData
    as objects.
  * MysqlUpdater: Add updatelog entries for dropDefault.
  * (T290776) Fix $phase check in OutputHandler.
  * The wikimedia/parsoid library has been upgraded from v0.13.0
    to v0.13.1.
  * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in
    Special:Search.
  * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can
    cause a full table scan.
  * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection
    of Special:Contributions.

• Files Changed
• Browse Source

- Update to Mediawiki 1.36.1
  Security release
  * (T283942) DatabaseInstaller.php: Only run core schema file if specified table
    doesn't already exist.
  * (T247223) Optimise MessageCache::isMainCacheable() for the single-message
    case.
  * (T283244) JavaScriptMinifer: Fix handling of "delete" as object property.
  * (T284391) Fix SkinModule to correctly prepend remote path on document root
    installs.
  * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
  * (T278579) Don't send headers on ob_end_clean().
  * (T285287) MultiHttpClient: Replace PHP version check with defined().
  * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.

• Files Changed
• Browse Source

Update to version 1.36.0

• Files Changed
• Browse Source

Update to version 1.35.2:
Fixes for several security issues

• Files Changed
• Browse Source

- Fixed invocation of upgrade script
- Hard-Code main version - scripts don't work nicely with osc

• Files Changed
• Browse Source

- Update to version 1.35.1
  * (T263929) purgeList.php Fix all-namespaces option to match one
    used in code.
  * (T248719) ParserCache::get - fix wfDeprecated call.
  * (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown
    after hitting Tab.
  * Preload mediawiki.watchstar.widgets before api request.
  * (T261030) ApiEditPage: Show existing watchlist expiry if status
    is not being changed.
  * (T264502) Fix PHP 8 compat with strcspn() $length parameter
    exceeding string.
  * (T248925) Remove final modifier on private function.
  * (T264683) Remove ipb_anon_only from ipb_address_unique index
    addition.
  * (T261415) Add days left messages to changes-lists' clock icons.
  * Fix order of wfDeprecated parameters in
    ExternalStoreDB::getSlave.
  * (T261260) Preload class used in HeaderCallback.
  * (T260868, T260009) Normalize WatchedItem expiry field.
  * (T264683) Remove doTable check from
    (Mysql|Sqlite)Updater::indexHasFields.
  * (T264534) ApiPageSet: Avoid infinite loop when merging
    redirects.
  * (T196906) Empty Monolog loggers are now real blackholes.
  * (T258649) WatchAction: avoid UPDATE when old and new watch
    period is indefinite.
  * Parser: Adjust typehint to show that getTitle can return null.
  * (T263592) media: Fix case of FlashPixVersion in 
    FormatMetadata::makeFormattedData().
  * (T265223) BaseTemplate: Guard against passing zero arg to
    array_merge().
  * (T264965) Fix base path handling for MessagePosterModule
    registration.
  * (T252183) Fix Database::getTempTableWrites for multi table
    DDLs.
  * (T182546) Fix switch/case indentation per mediawiki coding
    conventions.
  * Flip Yoda conditionals.
  * (T263213) Move SkinTemplate::getFooterLinks() to Skin.
  * build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
  * (T267105) Make ImageBuilder::checkMissingImage public.
  * Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
  * (T266681) Support new style hook registration on install
    and update.
  * (T266980) Fix unsetting of copyright icon in FooterIcons.
  * upload.js: Don't assume that warnings array will include
    'code' key.
  * upload.js:  Fix typo in upload API.
  * (T264333, T190988, T266903) Pass along ignorewarnings param
    to all individual chunks being uploaded.
  * (T267558) importTextFiles.php: Replace deprecated 
    WikiRevision:setText().
  * (T266418) composer.json: add requirement for 
    composer-plugin-api ^1.1.
  * (T261431) Add ARIA attributes to watchlink and its
    notification.
  * (T258877) Change invalid 'Content-Encoding: none' header.
  * Fix trailing ; in patch-sites-site_language-35.sql.
  * (T248852) wfAssembleUrl: Handle empty query field in URL bits.
  * (T268846) Updating wikimedia/testing-access-wrapper
    (1.0.0 => 2.0.0).
  * (T268887) migrateComments: Cast array keys back to string
    before passing to the DB.
  * (T266619) Introduce new $wgThumbPath config.
  * (T269178) MemcachedClient: Cast Resource to integer.
  * (T263925) Use the old HookContainer to set up the
    post-reset services.
  * Change "site cache" to just "cache" in the right-purge
    message.
  * [UploadedFileStreamTest] Skip test with chmod.
  * (T269710) Updating composer/semver (1.5.1 => 1.7.2).
  * (T269710) Updating mediawiki/mediawiki-codesniffer
    (33.0.0 => 34.0.0).
  * (T260631, T260633), BotPassword::save() now returns a Status
    object for the result rather than a bool. The length of the
    bot password grants and restriction fields are now validated,
    and an error will be thrown if it would be truncated by
    the database.
  * (T265778) Fix English/*nix specific error messages in
    FSFileBackend.
  * (T267543) Split dropping of image.img_user_timestamp.
  * [FileTest] Do not assume /tmp exists on windows.
  * Clean up temp files correctly after unit tests.
  * Skip undo related phpunit tests when diff3 is missing.
  * (T269964) rdbms: Remove outer parentheses in insert query
    for Postgres.
  * (T263911) In MWExceptionHandler::report(), catch all throwables.
  * (T268894, CVE-2020-35474) SECURITY: Use Html::element in 
    ChangeListSpecialPage for sanity.
  * (T268917) Use Xml::element in SpecialUserrights for sanity.
  * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass
    escaped html to LogFormatter::makePageLink for sanity.
  * (T268938) Fixed mixed escaping in
    Language::translateBlockExpiry.
  * (T263911) UserOptionsManager: don't differentiate anons caches.
  * (T261260) HeaderCallback: pre-cache request ID.
  * Parsoid updated to v0.12.1.
  * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility
    of log entries when MediaWiki:Mainpage uses Special:MyLanguage.
  * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for
    contributions and user pages of hidden users and missing users.
  * (T270145) Fix condition that can lead to using APCOND_BLOCKED
    in $wgAutopromote to cause an OOM in PHP.
- Add requires cron, fix missing-dependency-to-cron for cron
  script /etc/cron.d/mediawiki

• Files Changed
• Browse Source

- New cronjob must run as root

• Files Changed
• Browse Source