Fedora 20: MEDIAWIKI-2015-5569 Critical: XSS and DoS Protection

* Wed Apr 1 2015 Michael Cronenworth - 1.23.9-1 - Update to 1.23.9 - (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks. - (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS. - (bug T88310) SECURITY: Always expand xml entities when checking SVG's. - (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS. - (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview. - (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy. - (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL. * Thu Dec 18 2014 Michael Cronenworth - 1.23.8-1 - Update to 1.23.8 - (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this. - (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name. - (bug T74222) The original patch for T74222 was reverted as unnecessary. * Fri Nov 28 2014 Michael Cronenworth - 1.23.7-1 - Update to 1.23.7 - Release notes: https://www.mediawiki.org/wiki/Release_notes/1.23 * Mon Nov 3 2014 Michael Cronenworth - 1.23.6-1 - Update to 1.23.6 - (bug 67440) Allow classes to be registered properly from installer - (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header * Thu Oct 2 2014 Michael Cronenworth - 1.23.5-1 - Update to 1.23.5 - CVE-2014-7295 (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance. * Fri Sep 26 2014 Michael Cronenworth - 1.23.4-1 - Update to 1.23.4 - (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter