Mailing List Archive

MediaWiki security release 1.16.1
Hash: SHA1

I would like to announce the release of MediaWiki 1.16.1, which is a
security and maintenance release.

Wikipedia user PleaseStand pointed out that MediaWiki has no
protection against "clickjacking". With user or site JavaScript or CSS
enabled, clickjacking can lead to cross-site scripting (XSS), and thus
full compromise of the wiki account of any user who visits a malicious
external site. Clickjacking affects all previous versions of MediaWiki.

Our fix involves denying framing on all pages except normal page views
and a few selected special pages. To be protected, all users need to
use a browser which supports X-Frame-Options. For information about
supported browsers, see:


For more information about this vulnerability and the related patch, see:


Other changes in MediaWiki 1.16.1:

* (bug 24981) Allow extensions to access SpecialUpload variables again
* (bug 24724) list=allusers was out by 1 (shows total users - 1)
* (bug 24166) Fixed API error when using rvprop=tags
* For wikis using French as a content language, Special:Téléchargement
works again as an alias for Special:Upload.
* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in
* (bug 25248) Fixed paraminfo errors in certain API modules.
* The installer now has improved handling for situations where
safe_mode is active or exec() and similar functions are disabled.
* (bug 19593) Specifying --server in now works for all maintenance
* Fixed $wgLicenseTerms register globals.

Full release notes:


Patch to previous version (1.16.0), without interface text:
Interface text changes:

GPG signatures:

Public keys:

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


MediaWiki announcements mailing list
To unsubscribe, go to: