Together with the announcement of MW 1.28.0-rc.0 on November 2, 2016 a total of six security issues were announced as fixed:
- (T137264) SECURITY: XSS in unclosed internal links
- (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
- (T133147) SECURITY: Require login to preview user CSS pages
- (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
- (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
- (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
Since no immediate releases for the MW 1.23, 1.26 and 1.27 branches were made I assumed that these are not affected. Today with the release of MW 1.28.0 I had a look a the very first issue and already learned that older supported branches are indeed affected too. I do not dare to look at the other five at this point. However this makes me believe that we are now in our fourth week of security issues known to the general public with no release addressing them. Is this assumption correct? If yes, I do not think that MedaiWiki is in a desired situation.