= MediaWiki release notes =
-== MediaWiki 1.16.0 ==
+== MediaWiki 1.16.4 ==
-2010-07-28
+2011-04-14
-This is a stable release of the MediaWiki 1.16 branch.
+This is a security and maintenance release of the MediaWiki 1.16 branch.
=== Summary of selected changes in 1.16 ===
Selected changes since MediaWiki 1.15 that may be of interest:
+* A new skin called Vector was added
+
* Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden,
since Atom is a better protocol and is supported by virtually all clients.
you have the DBA extension for PHP installed, this will improve performance
further.
+== Changes since 1.16.3 ==
+
+* (bug 28507) The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6
+ clients) was not actually sufficient to fix that bug. This release contains
+ a second attempt, hopefully we have fixed it this time.
+
+== Changes since 1.16.2 ==
+
+* (bug 28449) Fixed permissions checks in Special:Import which allowed users
+ without the 'import' permission to import pages from the configured import
+ sources.
+* (bug 28235) Fixed XSS affecting IE 6 and earlier clients only, due to those
+ browsers looking for a file extension in the query string of the URL, and
+ ignoring the Content-Type header if one is found.
+* (bug 28450) Fixed a CSS validation issue involving escaped comments, which
+ led to XSS for Internet Explorer clients and privacy loss for other clients.
+
+== Changes since 1.16.1 ==
+
+* (bug 26642) Fixed incorrect translated namespace due to a regression in the
+ language converter.
+* The interface translations were updated.
+* (bug 27093, CVE-2011-0047): Fixed CSS injection vulnerability.
+* (bug 27094) Fixed server-side arbitrary script inclusion vulnerability.
+ Affects Windows servers only. A malicious file with extension ".php" must
+ exist on the server for the exploit to be effective.
+
+== Changes since 1.16.0 ==
+
+* (bug 24981) Allow extensions to access SpecialUpload variables again
+* (bug 24724) list=allusers was out by 1 (shows total users - 1)
+* (bug 24166) Fixed API error when using rvprop=tags
+* For wikis using French as a content language, Special:Téléchargement works
+ again as an alias for Special:Upload.
+* (bug 25167) Correctly load JS fixes for IE6 (fixing a regression in 1.16.0)
+* (bug 25248) Fixed paraminfo errors in certain API modules.
+* The installer now has improved handling for situations where safe_mode is
+ active or exec() and similar functions are disabled.
+* (bug 19593) Specifying --server in now works for all maintenance scripts.
+* Fixed $wgLicenseTerms register globals.
+* (bug 26561) Fixed clickjacking vulnerabilities by introducing support for
+ X-Frame-Options. The header value can be configured using $wgBreakFrames and
+ $wgEditPageFrameOptions.
+
== Changes since 1.16 beta 3 ==
* (bug 23769) Disabled HTML 5 client-side form validation. Was introduced in
=== New features in 1.16 ===
+* A new skin called Vector was added
* Add CSS defintion of the 'wikitable' class to shared.css
* (bug 17163) Added MediaWiki:Talkpageheader which will be displayed when
viewing talk pages
* (bug 17790) Users instantly logged off on HughesNet
== API changes in 1.16 ==
-
* Added uiprop=changeablegroups to meta=userinfo
* Added usprop=gender to list=users
* (bug 18311) action=purge now works for images too