Release Notes: An XSS injection vulnerability was located in the Ajax support module, affecting MediaWiki 1.6.x and up when the optional $wgUseAjax setting is enabled. There is no danger in the default configuration, with $wgUseAjax off. If you are using an extension based on the optional Ajax module, either disable it or upgrade to a version containing the fix: 1.8.3, 1.7.2, 1.6.9, or 1.9.0rc2 release candidate.
Release Notes: This is a security and maintenance release of the 1.21 branch. It fixes extension detection with 2 .'s. Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed. This release sanitizes ResourceLoader exception messages. It will purge upstream caches when deleting file assets. The unit test suite now runs the AutoLoader tests. The autoloading entry for the PageORMTableForTesting class has also been fixed, though it had no impact.
Release Notes: Several bugs have been fixed.
Release Notes: A cross-site scripting (XSS) vulnerability was fixed. Fatal errors with unusual file repository configurations, such as ForeignAPIRepo were fixed. The "change password" link on Special:Preferences was changed to have the correct returnto parameter.
Release Notes: XSS and CSRF vulnerabilities were fixed.
Release Notes: An XSS vulnerability has been fixed.