On Thu, 18 Dec 2014 07:44:59 +0100, Brian Wolff bawolff@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw
HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's included on many more pages. Not to mention the whole MediaWiki:Common.js thing)
Indeed, it seems to me that the meaning of "security bug" has been inflated somewhat recently.